404 on TCP route


we are trying to expose the TCP interface of a service with Traefik. However, traefik always returns a "404 not found" message when the TCP endpoint is called. We try to route all traffik to a specific port (traefik entrypoint) to a specific service in our backend.

This is the definition of our IngressRouteTCP:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
    traefik.ingress.kubernetes.io/router.entrypoints: 31672-tcp
    traefik.ingress.kubernetes.io/router.tls: "true"
  name: traefik-ingress-routes-0
  namespace: dt-dev
  - 31672-tcp
  - match: HostSNI(`*`)
    - name: our-service-0
      namespace: dt-dev
      port: 8445
    passthrough: true
    secretName: tls-secret

Looking at the traefik dashboard, both the TCP router and the according TCP services are marked as healthy.

However, I cannot reach the service as expected and always receive a "404 not found" sent by traefik when calling the appropriate port (31672) of traefik (tested against our domain and with port-fowarding to exclude issues with the load balancer).

In addition, I could not find any problems looking at the debug logs:

time="2021-06-21T09:30:56Z" level=debug msg="Adding route for our-domain.de with TLS options default" entryPointName=31672-tcp                                                                                               time="2021-06-21T09:30:56Z" level=debug msg="Creating TCP server 0 at" serviceName=dt-dev-traefik-ingress-routes-0-673acf455cb2dab0b43a serverName=0 entryPointName=31672-tcp routerName=dt-dev-traefik-ingress-routes-0-67 │
time="2021-06-21T09:30:56Z" level=debug msg="Adding route * on TCP" routerName=dt-dev-traefik-ingress-routes-0-673acf455cb2dab0b43a@kubernetescrd entryPointName=31672-tcp

I am running out of ideas how to find the cause of the issue. Does someone know what might be the cause of the 404 message and why the request is not forwarded to my service?



Hello @jealous-squirrel,

Thanks for your in Traefik!

You don't need to provide a secret name when a TCP router is configured to passthrough, since the TLS termination would happen on the service side.
The annotations are not meant to be used with the IngressRoute provider, it's only for Ingress resources.
A 404 not found is an HTTP response code, so it has nothing to do with TCP.
Do you have HTTP routers configured?
Can you provide the full debug logs showing the request handled by Traefik?

Hello @rtribotte,

Thanks for the quick response! I am also thankful for the explanations regarding the wrong usage of annotations in combination with the IngressRoute provider, although this is unrelated to the problem.

Do you have HTTP routers configured?

Good guess! I found a few HTTP routers in our system which did not have a specific entrypoint (websecure) set, so they were applied to all entrypoints including the TCP entrypoint. After limiting these routers to specific entrypoints, no more HTTP router applied to the TCP entrypoint and the TCP traffik is forwarded to the backend as expected.

Thanks again and have a great day!