mike edits

deadlypants1973 · deadlypants1973 · commit ad108b68a81a · 2025-10-03T17:34:10.000+01:00
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access.mdx
@@ -207,15 +207,19 @@ A user may be blocked by an Access policy from reaching an SSH target because:
 
 You were guided to create an Access policy for your SSH target in [substep 9 of step 5: Add an infrastructure application](#5-add-an-infrastructure-application).
 
+#### End users
+
 As an end user, run [`warp-cli target list`](/cloudflare-one/applications/non-http/infrastructure-apps/#display-available-targets) to verify that you have access to the target machine.
 
 <Render file="tunnel/warp-cli-target-list" product="cloudflare-one" />
 
-- If the target appears in the list, confirm that the username you are attempting to connect with is shown in the output. If the username is not shown, you must go to the Access policy associated with the target machine and add that user to the Access policy. If the username is shown,
+- If the target appears in the list, confirm that the username you are attempting to connect with is shown in the output. If the username is not shown, you must go to the Access policy associated with the target machine and add that user to the Access policy. If the username is shown, that means the Access policy should be granting access and you should ensure that the Tunnel is healthy in [step 2](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#2-check-target-machine-connection).
 
 - If the target does not appear in the list, your Access policies concerning the target machine must be audited for potential misconfigurations that may be blocking access.
 
-To review if an Access policy is causing connection issues:
+#### Administrators
+
+As an admin, instead of running `warp-cli target list`, you can use the Access logs to review if an Access policy is causing connection issues. This useful when troubleshooting connection issues on behalf of the end user.
 
 :::note
 
@@ -229,6 +233,8 @@ You will need Cloudflare dashboard access and log view [permissions](/cloudflare
 
 3. Review the **Decision**. If the **Decision** is `Access denied`, select the application and copy the name under App.
 
+	If the decision is `Access granted`, this mean your connection issue is with the Cloudflare Tunnel, SSH server, or the `sshd_config` file and Access policies are not interfering with your connection attempts.
+
 4. Go to **Access** > **Applications**.
 
 5. Input the app name in the search bar and select the application.
@@ -256,11 +262,14 @@ To check the status of your Tunnel:
 4. Go to **Networks** > **Tunnels** and search by your Tunnel name.
 5. Review that the [Tunnel status](/cloudflare-one/connections/connect-networks/monitor-tunnels/notifications/#available-notifications) says Active, and not Down, Degraded, or Inactive.
 
-If the status of your Tunnel is Inactive, you must install and run the Tunnel on your server as described in [step 1: Connect the server to Cloudflare](#1-connect-the-server-to-cloudflare).
-
-If the status of your Tunnel is Down, the server could be turned off or the server was connected to Cloudflare at one point but is now no longer connected. This could be due to various changes on the server side, like firewall configuration, load balancer interference, or other network devices blocking `cloudflared` connections.
+| Status    | Meaning                                                                                                                                                           | Recommended Action                                                                                                                                                                                                                                                                                            |
+|-----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Healthy**   | The `cloudflared` process is running and maintaining the expected number of resilient connections to Cloudflare's edge network.                                   | No action is required. Your Tunnel is running correctly.                                                                                                                                                                                                                                                       |
+| **Inactive**  | The Tunnel has been created (via the API or dashboard) but the `cloudflared` connector has never been run to establish a connection.                          | Run the Tunnel as a service or using the `clouflared tunnel run` command on your origin server to connect the Tunnel to Cloudflare. Refer to substep 6 of step 1 in the [Create a Tunnel dashboard guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#1-create-a-tunnel) or step 4 in the [Create a Tunnel API guide](/cloudflare-one/connections/connect-networks/get-started/create-remote-tunnel/#1-create-a-tunnel).                           |
+| **Down**      | The Tunnel was previously connected but is currently disconnected because the `cloudflared` process has stopped.                                            | 1. Ensure the `cloudflared` service or process is actively running on your server. <br /> 2. Check for server-side issues, such as the machine being powered off, an application crash, or recent network changes.                                                                                                |
+| **Degraded**  | The `cloudflared` connector is running but has fewer than the expected number of connections (it is connected to a single Cloudflare data center).               | 1. Review your `cloudflared` logs for connection failures or error messages. <br /> 2. Investigate local network and firewall rules to ensure they are not blocking connections to other Cloudflare IP ranges.                                                                                                     |
 
-Refer to the [Tunnel with Firewall](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#test-connectivity) or [Troubleshooting Tunnel documentation](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/) for more information.
+For detailed steps on troubleshooting, refer to the [Troubleshooting Tunnel documentation](/cloudflare-one/connections/connect-networks/troubleshoot-tunnels/). Review the [Tunnel with Firewall documentation](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#test-connectivity) to ensure your network is correctly configured to allow `cloudflared` connections.
 
 After you have vertified that there are no issues with your Tunnel's health, continue to verifying the user's existence on the target SSH server.
 
