I’ve created an rke2 cluster running 1.33.4+rke2r1 and the master come up without issue but I’m unable to get the workers to join. the error “Failed to validate connection to cluster at https://10.26.131.9:9345: failed to get CA cert” Curling to the master cacerts also times out curl -k --max-time 5 https://10.26.131.9:9345/cacerts. The only exception is I can curl to http://10.26.131.9:9345/cacerts.

is this rancher deployed cluster?

Are you sure that you are actually getting a proper response from

<http://10.26.131.9:9345/cacerts>

? that should not work as it always uses TLS.

@hundreds-evening-84071 yes its a rancher deployed cluster. @creamy-pencil-82913 thanks for your statement about curling the server. That hunt for server:9345/cacert led to a discovery that the cert from admin and worker could not be exchanged due to an MTU issue not on the server but on the physical network gateway hardware. It was set to 1500 even though the servers were set to 8950. Once the issue was resolved worker nodes joined and we were able to validate calico cni. Appreciate the call out. Pinging the gateway of the masters and the cacert showed the packet drop Ping -M do -s 8950 ipaddress