in multi-cluster setup, probe services use the wrong port to check

[MichaelLi202112]

What is the issue?

We deployed linkerd multi-cluster setup to establish the communication between openshift and eks. in version 2025.4.4, it works fine. but after upgraded to 2025.7.6, when run "linkerd check" from eks side, it reports the following error.

× probe services able to communicate with all gateway mirrors
liveness checks failed for ocp-lab
see https://linkerd.io/2/checks/#l5d-multicluster-gateways-endpoints for hints

in the logs of controller-ocp-lab, we find the following logs. seems it's using our customized nodeport (30101) to access the probe service directly, which causes the issue. It should use 4191 instead to access the service.

2025-09-04T13:29:32.399464473Z [ 49.136945s] INFO ThreadId(01) outbound: linkerd_app_core::serve: Connection closed error=logical service probe-ocp-lab.linkerd-multicluster.svc.cluster.local:30101: route default.undefined-port: forbidden TCP route error.sources=[route default.undefined-port: forbidden TCP route, forbidden TCP route] client.addr=10.186.204.179:35146 server.addr=172.20.110.95:30101

setup backgroud:
When setup multi-cluster in openshift (on-prem, it doesn't support Loadbalancer service), we used NodePort service and specified the nodeports for gateway and probe.

How can it be reproduced?

setup multi-cluster in openshift on-prem, used NodePort service and specified the nodeports for gateway and probe. from the other side (eg. eks), it can reproduce the issue when run "linkerd check".

Logs, error output, etc

2025-09-04T13:29:32.399464473Z [ 49.136945s] INFO ThreadId(01) outbound: linkerd_app_core::serve: Connection closed error=logical service probe-ocp-lab.linkerd-multicluster.svc.cluster.local:30101: route default.undefined-port: forbidden TCP route error.sources=[route default.undefined-port: forbidden TCP route, forbidden TCP route] client.addr=10.186.204.179:35146 server.addr=172.20.110.95:30101

output of linkerd check -o short

× probe services able to communicate with all gateway mirrors
liveness checks failed for ocp-lab
see https://linkerd.io/2/checks/#l5d-multicluster-gateways-endpoints for hints

Environment

devtest

Possible solution

No response

Additional context

No response

Would you like to work on fixing this bug?

None

[tusharrrr1]

From the logs it looks like the probe is incorrectly targeting the custom NodePort (30101) instead of the admin/probe port (4191). I’ll investigate the multi-cluster controller logic and update it to correctly use the probe port in NodePort setups.

Please assign this issue to me.