Tcp router working but throwing errors: connection reset by peer / use of closed network connection

Hi, I would like to configure Traefik to be the TCP router in front of transmission on port 51413/tcp. Transmission seems to be fully working, the torrents are able to be downloaded and also uploaded, but my logs are filling with error messages. Should I be concerned, or just ignore the messages?

Logs

2024-08-21T11:31:27-06:00 ERR github.com/traefik/traefik/v3/pkg/tcp/proxy.go:75 > Error while handling TCP connection error="writeto tcp 192.168.99.254:46742->192.168.99.14:51413: read tcp 192.168.99.254:46742->192.168.99.14:51413: read: connection reset by peer"
2024-08-21T11:31:27-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:104 > Error while terminating TCP connection error="close tcp 192.168.99.254:46742->192.168.99.14:51413: use of closed network connection"
2024-08-21T11:31:27-06:00 DBG github.com/traefik/traefik/v3/pkg/tcp/proxy.go:41 > Handling TCP connection address=192.168.99.14:51413 remoteAddr=41.165.16.146:38085
2024-08-21T11:31:27-06:00 DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:196 > Service selected by WRR: b08a943dfd7adcad

I can confirm the tcp router is receiving connections:

$ curl -s http://127.1:8080/metrics | grep tcp-transmission
traefik_open_connections{entrypoint="tcp-transmission",protocol="TCP"} 25

I can make the errors stop by removing the port definition on the traefik container to no longer publish 51413, but then no more connections are received by the tcp router:

$ curl -s http://127.1:8080/metrics | grep tcp-transmission
traefik_open_connections{entrypoint="tcp-transmission",protocol="TCP"} 0

The hosts are:

• traefik: 192.168.99.254
• transmission: 192.168.99.14

Configuration (abbreviated)

services:
  traefik:
    command:
      - --entrypoints.tcp-transmission.address=:51413
    ports:
      - target: 51413
        published: 51413
        mode: host

  transmission:
    ports:
      - "9091:9091"
      - "51414:51413/tcp"
    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.tcp-transmission-rtr.entrypoints=tcp-transmission"
      - "traefik.tcp.routers.tcp-transmission-rtr.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.tcp-transmission-rtr.service=tcp-transmission-svc"
      - "traefik.tcp.services.tcp-transmission-svc.loadbalancer.server.port=51413"

Share your full Traefik static and dynamic config.

Hi @gravis,

I stumbled upon the exact same problem and I'd like to know if by any chance you have found a resolution or at least an explanation.

I'm trying to expose a postgreSQL service using Traefik with the following configuration :

ports:
  postgres-rw:
    expose:
      default: true
    port: 5432
    exposedPort: 5432
    protocol: TCP
    proxyProtocol:
      insecure: true
  postgres-ro:
    expose:
      default: true
    port: 5433
    exposedPort: 5433
    protocol: TCP
    proxyProtocol:
      insecure: true
service:
  annotations:
    service.beta.kubernetes.io/ovh-loadbalancer-proxy-protocol: "v2"

Those are the values I use to override default traefik chart (v28.3.0)

As you can see I need to enable proxy_protocol in order to whitelist the access to the service based on client IP.
It is also may be important to mention that I'm using OVH (french cloud provider) Managed Kubernetes Service.

apiVersion: traefik.io/v1alpha1
kind: MiddlewareTCP
metadata:
  name: ipallowlist
spec:
  ipAllowList:
    sourceRange:
      - 10.0.0.0/8
      - "MY IP"
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: {{ .Release.Name }}-postgres-ingress-rw
spec:
  entryPoints:
    - postgres-rw
  routes:
    - match: HostSNI(`*`)
      services:
        - name: {{ .Release.Name }}-postgres-cluster-rw
          port: 5432
      middlewares:
        - name: ipallowlist
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: {{ .Release.Name }}-postgres-ingress-ro
spec:
  entryPoints:
    - postgres-ro
  routes:
    - match: HostSNI(`*`)
      services:
        - name: {{ .Release.Name }}-postgres-cluster-ro
          port: 5432
      middlewares:
        - name: ipallowlist

And these are the IngressRouteTCP that I am using.

This is actually working and I can only access the exposed service with the correct IP.

But like you I keep having these weird logs inside my traefik pods :

2025-01-16T13:51:10Z ERR Error while handling TCP connection error="readfrom tcp 10.2.1.69:41824->10.2.0.37:5432: read tcp 10.2.1.69:5433->10.2.0.0:25309: read: connection reset by peer"
2025-01-16T13:51:10Z ERR Error while handling TCP connection error="readfrom tcp 10.2.1.69:58198->10.2.2.57:5432: read tcp 10.2.1.69:5433->10.2.2.0:27118: read: connection reset by peer"

From psql CLI it seems to be the internal IP used by traefik to forward traffic because the pg_stat_activity table link this IP to my DBeaver or the tool I'm using to access the DB externally.

Sorry to dig up this one year old thread but the issue seems to be the same for me.

exactly the same issue i have with traefik but im using kubernetes and transmission has a headless service

"Connection reset by peer" is usually a TLS issue. Either you connect without TLS to a TLS port or vice versa.

"Use of closed network connection" sometimes appears when Traefik container is shut down, so not an issue.