diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go
index a370dec371..6720e5b97d 100644
--- a/agent/proxycfg/snapshot.go
+++ b/agent/proxycfg/snapshot.go
@@ -2,7 +2,6 @@ package proxycfg
 
 import (
 	"context"
-
 	"github.com/hashicorp/consul/agent/structs"
 	"github.com/mitchellh/copystructure"
 )
diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go
index 573a410604..cb8414ac86 100644
--- a/agent/xds/listeners.go
+++ b/agent/xds/listeners.go
@@ -591,6 +591,20 @@ func (s *Server) makeTerminatingGatewayListener(name, addr string, port int, cfg
 
 	err = injectConnectFilters(cfgSnap, token, l, false)
 
+	// This fallback catch-all filter ensures a listener will be present for health checks to pass
+	// Envoy will reset these connections since known endpoints are caught by filter chain matches above
+	tcpProxy, err := makeTCPProxyFilter(name, "", "terminating_gateway_")
+	if err != nil {
+		return nil, err
+	}
+	fallback := envoylistener.FilterChain{
+		Filters: []envoylistener.Filter{
+			{Name: "envoy.filters.network.sni_cluster"},
+			tcpProxy,
+		},
+	}
+	l.FilterChains = append(l.FilterChains, fallback)
+
 	return l, nil
 }
 
diff --git a/agent/xds/server.go b/agent/xds/server.go
index 2cd84631c3..e51a30a513 100644
--- a/agent/xds/server.go
+++ b/agent/xds/server.go
@@ -219,8 +219,8 @@ func (s *Server) process(stream ADSStream, reqCh <-chan *envoy.DiscoveryRequest)
 			resources: s.clustersFromSnapshot,
 			stream:    stream,
 			allowEmptyFn: func(cfgSnap *proxycfg.ConfigSnapshot) bool {
-				// Mesh gateways are allowed to inform CDS of no clusters.
-				return cfgSnap.Kind == structs.ServiceKindMeshGateway
+				// Mesh and Terminating gateways are allowed to inform CDS of no clusters.
+				return cfgSnap.Kind == structs.ServiceKindMeshGateway || cfgSnap.Kind == structs.ServiceKindTerminatingGateway
 			},
 		},
 		RouteType: {