If you have mutual TLS app identity verification enabled, Envoy only recognizes communications from the Gorouter. Therefore, TCP no longer works. This is currently true for versions 2.4.x, 2.5.x, 2.6.x, 2.7.x, 2.8.x, 2.9.x and 2.10.x.

If both TCP routing and mutual TLS app identity verification are enabled, the following symptoms can be observed:

Route emitter logs on the diego cells hosting the apps will have the following error:

{"timestamp":"1599600865.183397293","source":"route-emitter","message":"route-emitter.tcp.unable-to-upsert","log_level":2,"data":{"error":"Cannot process request: Each tcp mapping requires a positive backend port. RouteMapping=[xxxxxxxx-xxxx-xxxx-xxx-xxxxxxxx:xxxx\u003c-\u003exxx.xxx.xxx.xxx:0]","session":"6"}} 

Running cf curl /v2/apps/guid/stats will return the host port set to zero:

 "3": { 
    "state": "RUNNING", 
    "isolation_segment": null, 
    "stats": { 
       "name": "redacted", 
       "uris": [ 
          "url.com", 
          "url.com:port" 
       ], 
       "host": "redacted", 
       "port": 0, 
       "uptime": 24272, 
       "mem_quota": 2147483648, 
       "disk_quota": 536870912, 
       "fds_quota": 16384, "usage": { 
          "time": "2020-09-08T21:32:20+00:00",
          "cpu": 0.012387027596037232, 
          "mem": 981846236, 
          "disk": 220884992 
       } 
    } 
 },

Product Version: 2.10

Within ops manager, under the Application Service tile -> App Containers, de-select: "The Gorouter and apps use mutual TLS to verify each other's identity" and select: "The Gorouter uses TLS to verify app identity". Then apply changes.

Please be aware that all diego cells will be recreated following this change