diff --git a/lib/multiplexer/multiplexer.go b/lib/multiplexer/multiplexer.go
index 1efe642823f9b..d6cd0533df4d6 100644
--- a/lib/multiplexer/multiplexer.go
+++ b/lib/multiplexer/multiplexer.go
@@ -500,13 +500,6 @@ func (m *Mux) detect(conn net.Conn) (*Conn, error) {
 					}).Warnf("%s - could not get host CA", invalidProxySignatureError)
 					continue
 				}
-				if errors.Is(err, ErrNonLocalCluster) {
-					m.WithFields(log.Fields{
-						"src_addr": conn.RemoteAddr(),
-						"dst_addr": conn.LocalAddr(),
-					}).Debugf("%s - signed by non local cluster", invalidProxySignatureError)
-					continue
-				}
 				if err != nil {
 					return nil, trace.Wrap(err, "%s %s -> %s", invalidProxySignatureError, conn.RemoteAddr(), conn.LocalAddr())
 				}
diff --git a/lib/multiplexer/multiplexer_test.go b/lib/multiplexer/multiplexer_test.go
index 746485bdaa764..fe5fe2852ccda 100644
--- a/lib/multiplexer/multiplexer_test.go
+++ b/lib/multiplexer/multiplexer_test.go
@@ -784,13 +784,13 @@ func TestMux(t *testing.T) {
 		// If listener for IPv6 will fail to be created we'll skip IPv6 portion of test.
 		listener6, _ := net.Listen("tcp6", "[::1]:0")
 
-		startServing := func(muxListener net.Listener) (*Mux, *httptest.Server) {
+		startServing := func(muxListener net.Listener, cluster string) (*Mux, *httptest.Server) {
 			mux, err := New(Config{
 				Listener:            muxListener,
 				PROXYProtocolMode:   PROXYProtocolUnspecified,
 				CertAuthorityGetter: casGetter,
 				Clock:               clockwork.NewFakeClockAt(time.Now()),
-				LocalClusterName:    clusterName,
+				LocalClusterName:    cluster,
 			})
 			require.NoError(t, err)
 
@@ -812,14 +812,14 @@ func TestMux(t *testing.T) {
 			return mux, backend
 		}
 
-		mux4, backend4 := startServing(listener4)
+		mux4, backend4 := startServing(listener4, clusterName)
 		defer mux4.Close()
 		defer backend4.Close()
 
 		var backend6 *httptest.Server
 		var mux6 *Mux
 		if listener6 != nil {
-			mux6, backend6 = startServing(listener6)
+			mux6, backend6 = startServing(listener6, clusterName)
 			defer mux6.Close()
 			defer backend6.Close()
 		}
@@ -1013,6 +1013,32 @@ func TestMux(t *testing.T) {
 			require.NoError(t, err)
 			require.Equal(t, addr1.IP.String()+":0", out)
 		})
+		t.Run("PROXY header signed by non local cluster get an error", func(t *testing.T) {
+			listener, err := net.Listen("tcp", "127.0.0.1:")
+			require.NoError(t, err)
+
+			// start multiplexer with wrong cluster name specified
+			mux, backend := startServing(listener, "different-cluster")
+			t.Cleanup(func() {
+				require.NoError(t, mux.Close())
+				backend.Close()
+			})
+
+			conn, err := net.Dial("tcp", listener.Addr().String())
+			require.NoError(t, err)
+			defer conn.Close()
+
+			signedHeader, err := signPROXYHeader(&addr1, &addr2, clusterName, tlsProxyCert, jwtSigner)
+			require.NoError(t, err)
+
+			_, err = conn.Write(signedHeader)
+			require.NoError(t, err)
+
+			clt := tls.Client(conn, clientConfig(backend))
+
+			_, err = utils.RoundtripWithConn(clt)
+			require.Error(t, err)
+		})
 	})
 }
 
diff --git a/lib/service/service.go b/lib/service/service.go
index 0260ef732dd9d..78921c8f0d265 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -1950,7 +1950,7 @@ func (process *TeleportProcess) initAuthService() error {
 		Listener:            listener,
 		ID:                  teleport.Component(process.id),
 		CertAuthorityGetter: muxCAGetter,
-		LocalClusterName:    clusterName,
+		LocalClusterName:    connector.ServerIdentity.ClusterName,
 	})
 	if err != nil {
 		listener.Close()