diff --git a/package-lock.json b/package-lock.json index 72d1c7bf3f67c84..bb7217642503c9e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -121,7 +121,7 @@ "wrangler": "4.58.0" }, "engines": { - "node": "22.x", + "node": "^22.12.0", "npm": "10.x" } }, diff --git a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas.mdx index 126790839083326..c5097a0c6bf92de 100644 --- a/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas.mdx +++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas.mdx @@ -39,7 +39,7 @@ The integration of Access as a single sign-on provider for your Google Workspace :::caution -When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/integrations/identity-providers/google/) or [Google Workspace](/cloudflare-one/integrations/identity-providers/google-workspace/) as an identity provider. To secure Google Workspace behind Access and avoid an [authentication loop](/cloudflare-one/faq/troubleshooting/#after-putting-google-workspace-behind-access-i-cant-log-in-it-keeps-redirecting-between-access-and-google-without-ever-completing-authentication), you must configure a different identity provider (not Google or Google Workspace) for authentication. +When you put your Google Workspace behind Access, users will not be able to log in using [Google](/cloudflare-one/integrations/identity-providers/google/) or [Google Workspace](/cloudflare-one/integrations/identity-providers/google-workspace/) as an identity provider. To secure Google Workspace behind Access and avoid an [authentication loop](/cloudflare-one/access-controls/troubleshooting/#google-workspace-redirect-loop), you must configure a different identity provider (not Google or Google Workspace) for authentication. ::: 5. [Create an Access policy](/cloudflare-one/access-controls/policies/) for your application. For example, you could allow users with an `@your_domain.com` email address. diff --git a/src/content/docs/cloudflare-one/access-controls/index.mdx b/src/content/docs/cloudflare-one/access-controls/index.mdx index 2d24d5b924dac2a..73653caf5cd4581 100644 --- a/src/content/docs/cloudflare-one/access-controls/index.mdx +++ b/src/content/docs/cloudflare-one/access-controls/index.mdx @@ -11,4 +11,8 @@ Learn how to secure your self-hosted and SaaS applications with Zero Trust polic +## Troubleshooting + +For help resolving common issues with Cloudflare Access, refer to [Troubleshoot Access](/cloudflare-one/access-controls/troubleshooting/). + Refer to our [reference architecture](/reference-architecture/architectures/sase/) for an understanding on how to architect a Zero Trust and SASE solution. diff --git a/src/content/docs/cloudflare-one/access-controls/troubleshooting.mdx b/src/content/docs/cloudflare-one/access-controls/troubleshooting.mdx new file mode 100644 index 000000000000000..7720aa5dd72ae05 --- /dev/null +++ b/src/content/docs/cloudflare-one/access-controls/troubleshooting.mdx @@ -0,0 +1,17 @@ +--- +title: Troubleshoot Access +pcx_content_type: troubleshooting +sidebar: + order: 11 +description: Resolve common issues with Cloudflare Access, including authentication loops, CORS errors, and identity provider integration problems. +--- + +import { Render } from "~/components"; + + + +--- + +## How to contact Support + +If you cannot resolve the issue, [open a support case](/support/contacting-cloudflare-support/). Please provide a [HAR file](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while reproducing the error and the **Ray ID** if an error page is displayed. diff --git a/src/content/docs/cloudflare-one/changelog/gateway.mdx b/src/content/docs/cloudflare-one/changelog/gateway.mdx index b53bdf583218592..8905957cc86ce49 100644 --- a/src/content/docs/cloudflare-one/changelog/gateway.mdx +++ b/src/content/docs/cloudflare-one/changelog/gateway.mdx @@ -23,7 +23,7 @@ Gateway and DLP users can now create HTTP policies with the [Download and Upload **The default global Cloudflare root certificate expired on 2025-02-02 at 16:05 UTC** -If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. Refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning) for instructions and troubleshooting steps. +If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. Refer to [Troubleshooting](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#browser-and-certificate-issues) for instructions and troubleshooting steps. ## 2025-01-08 diff --git a/src/content/docs/cloudflare-one/cloud-and-saas-findings/index.mdx b/src/content/docs/cloudflare-one/cloud-and-saas-findings/index.mdx deleted file mode 100644 index 7758474e529dc2c..000000000000000 --- a/src/content/docs/cloudflare-one/cloud-and-saas-findings/index.mdx +++ /dev/null @@ -1,25 +0,0 @@ ---- -pcx_content_type: how-to -title: Cloud and SaaS findings -sidebar: - order: 10 -learning_center: - title: What is CASB? | Cloud access security brokers - link: https://www.cloudflare.com/learning/access-management/what-is-a-casb/ ---- - -import { GlossaryTooltip, Render } from "~/components"; - -:::note[Availability] -Available for all Zero Trust users. - -Free users can configure up to two CASB integrations. You must upgrade to an Enterprise plan to view the details of a finding instance. -::: - -Cloudflare's API-driven [Cloud Access Security Broker](https://www.cloudflare.com/learning/access-management/what-is-a-casb/) (CASB) integrates with SaaS applications and cloud environments to scan for misconfigurations, unauthorized user activity, shadow IT, and other data security issues that can occur after a user has successfully logged in. - -For a list of available findings, refer to [Cloud and SaaS integrations](/cloudflare-one/integrations/cloud-and-saas/). - -## Manage CASB integrations - - diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx index 6378f07d8dd2c29..13abe6012da03df 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx +++ b/src/content/docs/cloudflare-one/data-loss-prevention/index.mdx @@ -40,6 +40,10 @@ Data Loss Prevention integrates with [Cloudflare AI Gateway](/ai-gateway/) to sc To get started, refer to [Set up DLP for AI Gateway](/ai-gateway/features/dlp/set-up-dlp/). +## Troubleshooting + +For help resolving common issues with DLP, refer to [Troubleshoot DLP](/cloudflare-one/data-loss-prevention/troubleshooting/). + ## Supported file types ### Formats diff --git a/src/content/docs/cloudflare-one/cloud-and-saas-findings/casb-dlp.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/saas-apps-dlp.mdx similarity index 100% rename from src/content/docs/cloudflare-one/cloud-and-saas-findings/casb-dlp.mdx rename to src/content/docs/cloudflare-one/data-loss-prevention/saas-apps-dlp.mdx diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/troubleshooting.mdx b/src/content/docs/cloudflare-one/data-loss-prevention/troubleshooting.mdx new file mode 100644 index 000000000000000..c5dd522c682eb6d --- /dev/null +++ b/src/content/docs/cloudflare-one/data-loss-prevention/troubleshooting.mdx @@ -0,0 +1,10 @@ +--- +title: Troubleshoot DLP +pcx_content_type: troubleshooting +sidebar: + order: 5 +--- + +import { Render } from "~/components"; + + diff --git a/src/content/docs/cloudflare-one/email-security/index.mdx b/src/content/docs/cloudflare-one/email-security/index.mdx index 6edae881371f61e..42b3cc965f8a6a8 100644 --- a/src/content/docs/cloudflare-one/email-security/index.mdx +++ b/src/content/docs/cloudflare-one/email-security/index.mdx @@ -42,3 +42,9 @@ To access the Email security overview: 1. Log in to [Cloudflare One](https://one.dash.cloudflare.com/). 2. Go to **Email security** > **Overview**. + +--- + +## Troubleshooting + +For help resolving common issues with Email Security, refer to [Troubleshoot Email Security](/cloudflare-one/email-security/troubleshooting/). diff --git a/src/content/docs/cloudflare-one/email-security/troubleshooting.mdx b/src/content/docs/cloudflare-one/email-security/troubleshooting.mdx new file mode 100644 index 000000000000000..fee9e13bb1232ed --- /dev/null +++ b/src/content/docs/cloudflare-one/email-security/troubleshooting.mdx @@ -0,0 +1,17 @@ +--- +title: Troubleshoot Email Security +pcx_content_type: troubleshooting +sidebar: + order: 19 +description: Resolve common issues with Cloudflare Email Security, including delivery delays, false positives, and DMARC authentication errors. +--- + +import { Render } from "~/components"; + + + +--- + +## How to contact Support + +If you cannot resolve the issue, [open a support case](/support/contacting-cloudflare-support/). Please provide the **Message ID** or **Alert ID** for the affected emails, which you can find in the **Investigation** section of the dashboard. diff --git a/src/content/docs/cloudflare-one/faq/index.mdx b/src/content/docs/cloudflare-one/faq/index.mdx index e76c72b66d6d32e..327e91176cdfa85 100644 --- a/src/content/docs/cloudflare-one/faq/index.mdx +++ b/src/content/docs/cloudflare-one/faq/index.mdx @@ -64,11 +64,3 @@ For questions on connecting applications with Tunnels. > Tunnels ❯ - -## Troubleshooting - -Got an unexpected error? Check if it is covered in our troubleshooting section. - - - Troubleshooting ❯ - diff --git a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx b/src/content/docs/cloudflare-one/faq/troubleshooting.mdx deleted file mode 100644 index b04b302f1c311d4..000000000000000 --- a/src/content/docs/cloudflare-one/faq/troubleshooting.mdx +++ /dev/null @@ -1,381 +0,0 @@ ---- -pcx_content_type: troubleshooting -title: Troubleshooting -sidebar: - order: 4 -head: [] -description: Review common troubleshooting scenarios for Cloudflare Zero Trust. ---- - -import { GlossaryTooltip, Render } from "~/components"; - -[❮ Back to FAQ](/cloudflare-one/faq/) - -## I tried to register the Cloudflare One Client with my Zero Trust domain but received the following error messages: `Authentication Expired` and `Registration error. Please try again later`. - -When a user logs into an organization, the Cloudflare One Client will open a web page so the user can sign in via Cloudflare Access. Access then generates a JSON Web Token (JWT) that is passed from the web page to the Cloudflare One Client to authenticate the device. This JWT has a timestamp indicating the exact time it was created, as well as a timestamp indicating it will expire 50 seconds into the future. - -This error message means that when the JWT is finally passed to the Cloudflare One Client, it has already expired. One of two things can be happening: - -1. (Most likely): Your computer system clock is not properly synced using Network Time Protocol (NTP). Visit [https://time.is](https://time.is) on the affected machine to validate your clock is properly synchronized within 20 seconds of the actual time. - -2. You are waiting more than one minute to open the Cloudflare One Client from the time Cloudflare Access prompts you. Open the Cloudflare One Client as soon as you get the prompt. - -## I see a website is blocked, and it shouldn't be. - -If you believe a domain has been incorrectly blocked, you can use [this form](https://radar.cloudflare.com/categorization-feedback/) to get the URL reviewed. - -## I see an error saying `No Access-Control-Allow-Origin header is present on the requested resource`. - -Cloudflare Access requires that the credentials: `same-origin parameter` be added to JavaScript when using the Fetch API (to include cookies). AJAX requests fail without this parameter present. For more information, refer to our documentation about [CORS settings](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/). - -## I see untrusted certificate warnings for every page and I am unable to browse the Internet. - -Advanced security features including HTTPS traffic inspection require users to install and trust the Cloudflare root certificate on their machine or device. If you are installing certificates manually on all of your devices, these steps will need to be performed on each new device that is to be subject to HTTP Filtering. -To install the Cloudflare root certificate, follow [this guide](/cloudflare-one/team-and-resources/devices/user-side-certificates/). - -## I see error 526 when browsing to a website. - -Gateway presents an **HTTP Response Code: 526** error page in the following cases: - -- **An untrusted certificate is presented from the origin to Gateway.** Gateway will consider a certificate is untrusted if any of these conditions are true: - - The server certificate issuer is unknown or is not trusted by the service. - - The server certificate is revoked and fails a CRL check. - - There is at least one expired certificate in the certificate chain for the server certificate. - - The common name on the certificate does not match the URL you are trying to reach. - - The common name on the certificate contains invalid characters (such as underscores). Gateway uses [BoringSSL](https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&Vendor=Google&CertificateStatus=Active&ValidationYear=0) to validate certificates. Chrome's [validation logic](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/cert/x509_certificate.cc#429) allows non-RFC 1305 compliant certificates, which is why the website may load when you turn off the Cloudflare One Client. - -- **The connection from Gateway to the origin is insecure.** Gateway does not trust origins which: - - Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the [SSL Server Test tool](https://www.ssllabs.com/ssltest/index.html) to check which ciphers are supported by the origin. - - Do not support [FIPS-compliant ciphers](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#cipher-suites) (if you have enabled [FIPS compliance mode](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#fips-compliance)). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin). - - Redirect all HTTPS requests to HTTP. - -If none of the above scenarios apply, contact Cloudflare support with the following information: - -- Operating System (Windows 10, macOS 10.x, iOS 14.x) -- Web browser (Chrome, Firefox, Safari, Edge) -- URL of the request -- Screenshot or copy/paste of the content from the error page - -For more troubleshooting information, refer to [Support](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/). - -## I see an error in the Gateway Overview page, and no analytics are displayed. - -![An error displayed in the Gateway Overview page instead of analytics.](~/assets/images/cloudflare-one/faq/gateway-dash-overview-empty.png) - -You may not see analytics on the Overview page for the following reasons: - -- **You are not sending DNS queries to Gateway**. Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your DNS location by going to **Networks** > **Resolvers & Proxies** > **DNS locations** and then expanding the location. -- **You are using other DNS resolvers**. If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses. -- **The source IPv4 address for your DNS location is incorrect**. If you are using IPv4, check the source IPv4 address that you entered for the DNS location matches with the network's source IPv4 address. -- **Analytics is not available yet**. It takes some time to generate the analytics for Cloudflare Gateway. If you are not seeing anything even after 5 minutes, file a support ticket. - -## I see a "No Browsers Available" alert. - -If you encounter this error, [file feedback](/cloudflare-one/remote-browser-isolation/known-limitations/) via the Cloudflare One Client and we will investigate. - -## I see a "Maximum Sessions Reached" alert. - -This can occur if your device is attempting to establish a connection to more than two remote browser instances. -A browser isolation session is a connection from your local browser to a remote browser. Tabs and windows within the same browser share a single remote browser session. In practice, this generally means that you can open both Chrome and Firefox to use browser isolation concurrently, but attempting to open a third browser such as Opera will cause this alert to appear. To release a browser session, close all tabs/windows in your local browser. The remote browser session will be automatically terminated within 15 minutes. - -## I see `SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify` when testing a SAML identity provider. - -This error occurs when the identity provider has not included the signing public key in the SAML response. While not required by the SAML 2.0 specification, Cloudflare Access always checks that the public key provided matches the **Signing certificate** uploaded to Zero Trust. For the integration to work, you will need to configure your identity provider to add the public key. - -## I see `Error 0: Bad Request. Please create a ca for application.` when attempting to connect to SSH with a short-lived certificate. - -This error will appear if a certificate has not been generated for the Access application users are attempting to connect to. For more information on how to generate a certificate for the application on the Access Service Auth SSH page, refer to [these instructions](/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/). - -## Mobile applications warn of an invalid certificate, even though I installed a Cloudflare certificate on my system. - -These mobile applications may use certificate pinning Cloudflare Gateway dynamically generates a certificate for all encrypted connections in order to inspect the content of HTTP traffic. This certificate will not match the expected certificate by applications that use certificate pinning. -To allow these applications to function normally, administrators can configure bypass rules to exempt traffic to hosts associated with the application from being intercepted and inspected. - -## Firefox shows a network protocol violation when I use the Cloudflare One Client. - -If you see this warning, you may have to disable DNS over HTTPS setting in Firefox. If you need help doing that, see [these instructions](https://support.mozilla.org/en-US/kb/firefox-dns-over-https#w_manually-enabling-and-disabling-dns-over-https). - -## Chrome shows `NET::ERR_CERT_AUTHORITY_INVALID` when I use the Cloudflare One Client. - -Advanced security features including HTTPS traffic inspection require you to deploy a [root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) on the device. If [**Install CA to system certificate store**](/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/) is enabled, the Cloudflare One Client will automatically install a new root certificate whenever you install or update the Cloudflare One Client. - -Certain web browsers (such as Chrome and Microsoft Edge) load and cache root certificates when they start. Therefore, if you install a root certificate while the browser is already running, the browser may not detect the new certificate. To resolve the error, restart the browser. - -## I see `Access api error auth_domain_cannot_be_updated_dash_sso`. - -This error appears if you try to change your [team domain](/cloudflare-one/faq/getting-started-faq/#whats-a-team-domainteam-name) while the [Cloudflare dashboard SSO](/fundamentals/manage-members/dashboard-sso/) feature is enabled on your account. -Cloudflare dashboard SSO does not currently support team domain changes. Contact your account team for more details. - -## The Cloudflare One Client on Linux shows `DNS connectivity check failed`. - -This error means that the `systemd-resolved` service on Linux is not allowing WARP to resolve DNS requests. You can identify this issue in the [`daemon.log`](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) file of the `warp diag` logs, where the error message appears as `ERROR main_loop: warp::warp::connectivity_check: DNS connectivity check failed to resolve host="warp-svc."`. - -To solve the issue: - -1. Add the following line to `/etc/systemd/resolved.conf`: - -```txt -ResolveUnicastSingleLabel=yes -``` - -2. Make sure that no other DNS servers are configured in `/etc/systemd/resolved.conf`. For example, if the file contains `DNS=X.Y.Z.Q`, comment out the line. - -3. Restart the service: - -```sh -sudo systemctl restart systemd-resolved.service -``` - -## Windows incorrectly shows `No Internet access` when the Cloudflare One Client is enabled. - -[NCSI](https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-overview) is a Windows feature for determining network quality and connectivity. When the Cloudflare One Client is enabled, NCSI checks can sometimes fail and cause a cosmetic UI error where the user believes they have no Internet even though the device still has full connectivity. Some apps (Outlook, JumpCloud) may refuse to connect because Windows is reporting there is no Internet connectivity. - -To resolve the issue, you will need to edit two Windows registry keys: - -1. Configure NCSI to detect WARP's [local DNS proxy](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#dns-traffic). - - ```txt - HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator - Type: DWORD - Value: UseGlobalDNS - Data: 1 - ``` - -2. Configure NCSI to use active probing mode, as the Cloudflare One Client may be obscuring the number of hops expected by the [passive probe](https://learn.microsoft.com/en-us/windows-server/networking/ncsi/ncsi-frequently-asked-questions#how-does-passive-probing-determine-connectivity). - - ```txt - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet - Type: DWORD - Value: EnableActiveProbing - Data: 1 - ``` - -If you continue to have issues with Microsoft 365 applications, consider enabling [**Directly route Microsoft 365 traffic**](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#directly-route-microsoft-365-traffic). - -## I see `WebGL Rendering Error`. - -Cloudflare Browser Isolation leverages Network Vector Rendering (NVR) technology. This allows us to deliver a secure, performant remote computing experience without the bandwidth limitations of traditional solutions. While we expect most websites to work perfectly, some browser features and web technologies such as WebGL (Web Graphics Library) are unsupported. - -WebGL is a JavaScript API for rendering high-performance interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins. Support for WebGL is present in all modern browsers. However, the user's device must also have access to the underlying [hardware](https://developer.mozilla.org/en-US/docs/Web/API/WebGL_API#browser_compatibility) that supports these features. - -When running remote browser isolation in a virtualized environment, the user's device may not have access to the required system resources. To resolve the error, you can configure your browser to render vector graphics entirely through software, without using the hardware acceleration provided by a GPU. - -To enable software rasterization: - -1. Go to `chrome://flags/#override-software-rendering-list`. -2. Set **Override software rendering list** to _Enabled_. -3. Select **Relaunch** to apply the change. - -## I cannot send emails on port `25`. - -By default, the Cloudflare One Client blocks outgoing SMTP traffic on port `25` to prevent users from abusing our service to send spam. Modern email service providers use port `587` or `465` to encrypt emails over a TLS/SSL connection. For more information, refer to [What SMTP port should be used?](https://www.cloudflare.com/learning/email-security/smtp-port-25-587/). - -If you need to unblock port `25`, contact your account team. - -## I see `502 Bad Gateway` when browsing to a website. - -This issue can occur when communicating with an origin that partially supports HTTP/2. In these scenarios, the connection from Gateway to the website starts using HTTP/2 but requests a downgrade to HTTP/1.1 for some requests. For example, servers such as [Microsoft Internet Information Services (IIS)](https://learn.microsoft.com/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported) do not support authentication over HTTP/2. When errors occur, the website may send back a `RST_STREAM` frame with the error code `HTTP_1_1_REQUIRED`, which indicates that the browser should retry the request over HTTP/1.1. Gateway translates any received upstream `RST_STREAM` frames to a pseudo socket close, so this appears as a `502 Bad Gateway` exception page. The browser will not indicate why it failed. - -Gateway does not support this downgrade mechanism. When receiving the `HTTP_1_1_REQUIRED` error code, Gateway will not reissue requests over HTTP/1.1. To make the connection from Gateway to the website successfully, you will need to disable HTTP/2 at the origin. - -## I see `This site can't provide a secure connection.` - -If you see an error with the title `This site can't provide a secure connection` and a subtitle of ` uses an unsupported protocol`, you must [order an Advanced Certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate). - -If you added a [multi-level subdomain](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-connect-an-application) (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-connect-an-application) as Cloudflare's Universal certificate will not cover the public hostname by default. - -## As of February 2, 2025, my end-user device's browser is returning a `Your connection is not private` warning. - -### Why am I getting this error? - -The default global Cloudflare root certificate expired on 2025-02-02 at 16:05 UTC. If you installed the default Cloudflare certificate before 2024-10-17, you must [generate a new certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/#generate-a-cloudflare-root-certificate) and activate it for your Zero Trust organization to avoid inspection errors. If you did not generate a new certificate before February 2, 2025, you will encounter browser warnings like `Your connection is not private`. - -Starting with Cloudflare One Client version 2024.12.554.0 and later, the Cloudflare One Client will automatically install Cloudflare certificates in an end-user device's certificate store as soon as the Cloudflare certificates appear as **Available** in the Cloudflare dashboard. - -For Cloudflare One Client versions prior to 2024.12.554.0, certificates had to be marked as **In-Use** in the Cloudflare dashboard before the Cloudflare One Client could push the Cloudflare certificates to an end-user device's certificate store. - -### What do I need to do? - -For Cloudflare One Client versions before and after 2024.12.554.0, certificate propagation will only occur when the Cloudflare One Client is responsible for automatically installing the certificate on the client device. To enable the Cloudflare One Client to propogate certificates: - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices**. -2. Select the **Management** tab. -3. Turn on **Install CA to system certificate store**. - -If **Install CA to system certificate store** is turned off, you must [manually install the certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/), use an [MDM solution](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software) to distribute the Cloudflare certificate to your fleet of devices, or not use the Cloudflare certificate because you do not want to have TLS decryption enabled. [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) must be enabled to enforce Gateway HTTP policies for HTTPS traffic. - -After enabling certificate propagation, you must update your certificate: - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**, then select **Certificates**. -2. Select **Generate certificate**. -3. Select the expiration date for this new certificate (five years is the default, but this can be adjusted) and select **Generate certificate**. -4. The new certificate will be marked **Inactive** at first. Select the **three dots** to the right of the certificate, then select **Activate** to activate the certificate. - -When you activate a certificate, the Cloudflare One Client will download the new certificate to end-user devices. - -Certificate propagation to end-user devices can take up to 10 minutes, but can be expedited by resetting the encryption keys. - -To reset the encryption keys: - - - -macOS Big Sur and newer releases do not allow the Cloudflare One Client to automatically trust the certificate. You must either [manually trust the certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/#macos) as the user or [use a MDM to trust the certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#mobile-device-management-mdm-software). - -After confirming that the certificate is installed and trusted on the end-user device, mark the certificate as **In-Use**. To mark the certificate as **In-Use**: - -1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Traffic policies** > **Traffic settings**, then select **Certificates**. -2. Select a certificate. -3. In the detailed menu under **Basic Information**, select **Confirm and turn on certificate**. -4. Once turned on, the new certificate will now show as **In-Use** in Cloudflare One. **In-Use** indicates that the certificate is being used for inspection. - -It is recommended to have end users disconnect and reconnect the Cloudflare One Client to expedite this change being reflected on their local machine. To verify the new certificate is being used correctly: - -1. Connect to the Cloudflare One Client. -2. Visit an HTTPS site. -3. Verify that no certificate error is enountered. - -Additionally, you can check the certificate used within your browser by viewing the certificate (steps vary by browser, but you can generally do this check by selecting the lock icon next to the URL) and verifying the Organizational Unit (OU) does not reference `ECC Certificate Authority`. - -The new certificate will be valid until the configured expiration date. - -### I followed all the instructions but I am still having problems with my certificate. - -If the new certificate is not activating on the end-user device or you are getting a `Certificate is missing` warning even though the certificate is marked **In-Use**. Refer to the following troubleshooting options: - -1. Rotate the keys used by the Cloudflare One Client to force activate the new certificate by running: - - ```sh - warp-cli tunnel rotate-keys - ``` - -2. [Upgrade](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/update/#how-to-update-warp) to the Cloudflare One Client version 2024.12.554.0. - - Some customers who are on versions earlier than 2024.11.309.0 have experienced inconsistencies with certificate installation and may need to upgrade. - -3. Turn off TLS Decryption. - -If no measure is working quickly and you are encountering browser warnings that are blocking work, [turning off TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#turn-on-tls-decryption) will prevent HTTP policies from being enforced and will ensure websites resolve until the certificate can be deployed to more user devices. - -Turning off TLS decryption should be a temporary measure. TLS decryption should be turned on if you need to enforce HTTP policies and log traffic for HTTPS traffic. - -## I am getting an `Error 401: deleted_client - The OAuth Client was deleted` authorization error. - - - -## I entered an override code for the Cloudflare One Client that was supposed to be valid for 3 hours but the override code expired faster than I expected. - -[Admin override codes](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) are time-sensitive and adhere to fixed-hour time blocks. Override codes can be reused until the end of their timeout. An override code's timeout begins in the hour the override code was generated in. Refer to the following scenarios. - -### Scenario one: Admin generates an override code at 9:00 AM with a timeout of one hour. - -If admin generates an override code with a timeout of one hour at **9:00 AM** and the user inputs the override code in their device at **9:59 AM**, the user will be able to toggle the Cloudflare One Client on and off until **10:59 AM** (a one hour duration.) - -However, if the user attempts to enter the override code at **10:00 AM**, the override code will not work. The override code will not work because the override code was generated at **9:00 AM** and its one hour validity was counted as used in the 9:00 AM to 10:00 AM hour. - -### Scenario two: Admin generates an override code at 9:30 AM with timeout of three hours. - -If admin generates an override code with a timeout of three hours at **9:30 AM** and the user inputs the override code in their device at **9:59 AM**, the user will be able to toggle the Cloudflare One Client on and off until **12:59 PM** (a three hour duration.) - -However, if the user attempts to enter the override code at **10:00 AM**, the override code will only be valid until **12:00 PM** (a two hour duration). The override code was generated at **9:30 AM** and one hour of its total three hour validity was counted as used in the 9:00 AM to 10:00 AM hour. - -### Scenario three: Admin generates an override code at 12:30 PM with a timeout of 24 hours. - -If admin generates an override code with a timeout of 24 hours at **12:30 PM** and the user inputs the override code in their device at **12:59 PM** the same day, the user will be able to toggle the Cloudflare One Client on and off until **12:59 PM** the next day (a 24 hour duration.) - -However, if the user attempts to enter the override code at **1:00 PM** the same day, the override code will only be valid until **11:00 AM** the next day (a 23 hour duration). The override code was generated at **12:30 PM** and one hour of its total 24 hour validity was counted as used in the 12:00 PM to 1:00 PM hour. - -If the user attempts to enter the override code at **11:59 AM** the next day, the override code will only be valid until **12:59 PM** (a one hour duration). The override code was generated at **12:00 PM** and 23 hours of its total 24 hour validity were counted as used from 12:00 PM to 11:00 AM the next day (a 23 hour duration). - -## I disabled the Cloudflare One Client using an override code but it turned on by itself before my override code expired. - -If you are using an [admin override code](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) with [Auto connect](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#auto-connect) also enabled, the Cloudflare One Client will turn on automatically according to the Timeout set for **Auto connect**. Using an override code to override the WARP lock switch will not disable Auto connect. As best practice, review your Auto connect settings before sending the override code to the user. - -To prevent the Cloudflare One Client from auto connecting while using an admin override code, disable Auto connect or set a longer **Timeout** for **Auto connect**. Note the changes you make to Auto connect while the end user is using the admin override code if you need to revert these changes later. - -## I am getting the error `Failed to fetch user/group information from the identity provider`. - -This error is returned when proper API permissions are not set up in the identity provider. When Cloudflare attempts to fetch user/group information from the identity provider and proper API permissions have not been configured, the `Failed to fetch user/group information from the identity provider` error will appear. Review the [SSO integration](/cloudflare-one/integrations/identity-providers/) guide for your identity provider to ensure your application has the appropriate API permissions. - -For example, [Microsoft Entra](/cloudflare-one/integrations/identity-providers/entra-id/#2-configure-api-permissions-in-entra-id) and [Okta]() have required permissions stated in their integration guides. - -You can also examine logs in your identity provider to identify any denied requests related to API access. - -## WSL2 is losing connectivity when using the Cloudflare One Client. - -If your WSL2 environment is losing connectivity while using the Cloudflare One Client, check your [split tunnel configuration](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/). - -The issue may arise because the IP range that the WSL environment uses to communicate with the host device is included in the split tunnel configuration. Excluding the WSL environment's IP range should restore connectivity. - -You must ensure the host device is included in the WARP tunnel while excluding the WSL environment to prevent connectivity issues between WSL and the host device. - -To debug this issue: - -1. Review the WSL2 environment's IP address and compare it with the laptop's IP. -2. Check if the WSL network is [included in the split tunnel configuration](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#change-split-tunnels-mode). -3. If the WSL network is included, exclude it from the split tunnel to prevent connectivity issues. - -## Clientless Web Isolation is loading with a blank screen on a Windows device. - -This issue can occur due to a conflict between browser settings and Windows network configuration. - -In Chromium-based browsers like Chrome and Edge, the **Anonymize local IPs exposed by WebRTC** flag (`chrome://flags/#enable-webrtc-hide-local-ips-with-mdns` or `edge://flags/#enable-webrtc-hide-local-ips-with-mdns`) — when set to `Enabled` or left at `Default` — hides local IP addresses by replacing them with mDNS hostnames. Multicast DNS (mDNS) hostnames rely on multicast traffic to be resolved properly on the local network. - -The [Internet Group Management Protocol (IGMP)](https://www.cloudflare.com/learning/network-layer/what-is-igmp/) allows devices to join a multicasting group. On Windows, `IGMPLevel` determines whether the system participates in multicast group membership. When `IGMPLevel` is set to `0`, multicast support is disabled. - -To resolve this error, review the following options: - -| `IGMPLevel` | **Anonymize local IPs exposed by WebRTC** setting | Result in Clientless Web Isolation | -| -------------- | ------------------------------------------------- | -------------------------------------------- | -| `0` (disabled) | **Enabled / Default** | ❌ Blank screen | -| `0` (disabled) | **Disabled** | ✅ Works - browser will use local IP address | -| `2` (enabled) | **Enabled / Default** | ✅ Works - mDNS resolves successfully | - -## After putting Google Workspace behind Access, I can't log in. It keeps redirecting between Access and Google without ever completing authentication. - -When you put your Google Workspace behind Access, users will not be able to log in using Google or Google Workspace as an identity provider. - -This configuration creates an authentication loop. Cloudflare Access tries to authenticate the user via Google, but Google itself treats Cloudflare as its identity provider and requires authentication from Cloudflare. Since each system depends on the other to complete login first, the user is caught in an infinite redirect cycle and can never successfully authenticate. - -## When installing the Cloudflare One Client on Windows, the Setup Wizard ends prematurely. - -This error can occur for several reasons, including missing dependencies, like the appropriate .NET Framework version or other Dynamic Link Libraries (DLLs) such as `netstandard2.0`, required during installation. - -To investigate, run the following command to generate installation logs: - -```powershell -msiexec /i /L*V -``` - -Check the logs to verify if there are any missing DLLs (for example, `netstandard2.0`), which may point to a missing or outdated version of the .NET Framework. - -One common cause is a missing or outdated version of the [.NET Framework Runtime](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/#windows:~:text=NET%20Framework%20version-,4.7.2%20or%20later,-HD%20space). The Cloudflare One Client requires a .NET Framework version of `4.7.2` or later. - -Some legacy Windows systems (such as Windows 10 Enterprise 1607 LTSB, which is bundled with .NET `4.6`) do not include this runtime by default and may fail during installation with a `Setup Wizard ended prematurely` error. More recent Windows versions include .NET `4.7.2` or later by default and do not encounter this error. - -To fix this: - -1. Download and install the [.NET Framework 4.7.2 Runtime](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net472) (make sure to install the **Runtime**, not the Developer Pack). -2. Re-run the Cloudflare One Client installer. - -If the problem continues, try running the [.NET Repair Tool](https://www.microsoft.com/en-ca/download/details.aspx?id=30135), or check which .NET versions are installed by running the following command in PowerShell: - -```powershell -Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP" -Recurse | ForEach-Object { $_.Name; Get-ItemProperty $_.PSPath; "" } -``` - -## I get an `Invalid session. Please try logging in again.` error from Access when trying to log in to the Cloudflare dashboard via SSO. - -Cloudflare Access uses a [`CF_Session` cookie](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/#access-cookies) to validate that the same browser both initiated and completed your sign-in. The `Invalid session` error means Access was unable to validate this cookie. Ensure that there is no software or firewall on your device or network that may be interfering with requests to Access. - -## Long-lived SSH sessions frequently disconnect. - -All connections proxied through Cloudflare Gateway, including traffic to [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) SSH targets, have a maximum guaranteed duration of 10 hours. It is possible for connections to last longer than 10 hours. However, if a connection is active at the time of a Gateway release, Gateway will terminate the connection 10 hours later. Releases are not scheduled and can occur multiple times a week. - -To prevent long-lived SSH connections from breaking unexpectedly, we recommend terminating sessions on a predefined schedule. For example, you could set an 8-hour idle timeout so that inactive sessions automatically disconnect during off hours. To configure an idle timeout, add the `ChannelTimeout` option to either the SSH server (`/etc/ssh/sshd_config`) or client configuration file (`~/.ssh/config`): - -```txt -ChannelTimeout global=8h -``` - -Implementing [`ChannelTimeout` on the client side](https://man.openbsd.org/ssh_config#ChannelTimeout) allows users to choose a time that works for them, whereas implementing it on the [server side](https://man.openbsd.org/sshd_config#ChannelTimeout) removes the configuration burden from the end user. diff --git a/src/content/docs/cloudflare-one/index.mdx b/src/content/docs/cloudflare-one/index.mdx index 1550bb4be211ad4..ccaffc0956a6930 100644 --- a/src/content/docs/cloudflare-one/index.mdx +++ b/src/content/docs/cloudflare-one/index.mdx @@ -152,10 +152,10 @@ Monitor device, network, and application performance across your Zero Trust orga - Find answers to common questions or open a ticket with Cloudflare Support. + Find troubleshooting guides for Cloudflare One products and learn how to collect information for Support. + +--- + +## How to contact Support + +If you cannot resolve the issue, [open a support case](/support/contacting-cloudflare-support/). Please provide a [remote capture](/cloudflare-one/insights/dex/remote-captures/) from the Zero Trust dashboard for the affected device. diff --git a/src/content/docs/cloudflare-one/cloud-and-saas-findings/manage-findings.mdx b/src/content/docs/cloudflare-one/integrations/cloud-and-saas/findings/index.mdx similarity index 100% rename from src/content/docs/cloudflare-one/cloud-and-saas-findings/manage-findings.mdx rename to src/content/docs/cloudflare-one/integrations/cloud-and-saas/findings/index.mdx diff --git a/src/content/docs/cloudflare-one/cloud-and-saas-findings/troubleshoot-casb.mdx b/src/content/docs/cloudflare-one/integrations/cloud-and-saas/troubleshooting/casb.mdx similarity index 99% rename from src/content/docs/cloudflare-one/cloud-and-saas-findings/troubleshoot-casb.mdx rename to src/content/docs/cloudflare-one/integrations/cloud-and-saas/troubleshooting/casb.mdx index c60ddfc4af47f29..733d1981924d6fc 100644 --- a/src/content/docs/cloudflare-one/cloud-and-saas-findings/troubleshoot-casb.mdx +++ b/src/content/docs/cloudflare-one/integrations/cloud-and-saas/troubleshooting/casb.mdx @@ -1,8 +1,8 @@ --- -title: Troubleshoot CASB +title: CASB pcx_content_type: troubleshooting sidebar: - order: 4 + order: 1 --- Use this guide to troubleshoot common issues with Cloud Access Security Broker (CASB). diff --git a/src/content/docs/cloudflare-one/integrations/cloud-and-saas/troubleshooting/index.mdx b/src/content/docs/cloudflare-one/integrations/cloud-and-saas/troubleshooting/index.mdx index b94436d604d5512..fca9b0ce5b05b89 100644 --- a/src/content/docs/cloudflare-one/integrations/cloud-and-saas/troubleshooting/index.mdx +++ b/src/content/docs/cloudflare-one/integrations/cloud-and-saas/troubleshooting/index.mdx @@ -9,4 +9,6 @@ sidebar: import { DirectoryListing } from "~/components"; +Explore guides to resolve issues with Cloudflare Zero Trust integrations, including CASB and third-party SaaS applications. + diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/google-workspace.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/google-workspace.mdx index 69e85201693826d..f0d45f5096e5860 100644 --- a/src/content/docs/cloudflare-one/integrations/identity-providers/google-workspace.mdx +++ b/src/content/docs/cloudflare-one/integrations/identity-providers/google-workspace.mdx @@ -9,7 +9,7 @@ import { GlossaryTooltip, Render } from "~/components"; :::note -The Google Workspace IdP integration [is not supported](/cloudflare-one/faq/troubleshooting/#after-putting-google-workspace-behind-access-i-cant-log-in-it-keeps-redirecting-between-access-and-google-without-ever-completing-authentication) if your Google Workspace account is protected by Access. +The Google Workspace IdP integration [is not supported](/cloudflare-one/access-controls/troubleshooting/#google-workspace-redirect-loop) if your Google Workspace account is protected by Access. ::: You can integrate a Google Workspace (formerly G Suite) account with Cloudflare Access. Unlike the instructions for [generic Google authentication](/cloudflare-one/integrations/identity-providers/google/), the steps below will allow you to pull group membership information from your Google Workspace account. @@ -110,7 +110,7 @@ This will generate a **SCIM Endpoint** that can accept inbound SCIM events from :::note[`Failed to fetch group information from the identity provider` error] -To test successfully, you must [finish setup](https://community.cloudflare.com/t/google-workspace-failed-to-fetch-group-information-from-the-identity-provider/313361/2). Testing before finishing setup will result in a [`Failed to fetch user/group information from the identity provider` error](/cloudflare-one/faq/troubleshooting/#i-am-getting-the-error-failed-to-fetch-usergroup-information-from-the-identity). +To test successfully, you must [finish setup](https://community.cloudflare.com/t/google-workspace-failed-to-fetch-group-information-from-the-identity-provider/313361/2). Testing before finishing setup will result in a [`Failed to fetch user/group information from the identity provider` error](/cloudflare-one/access-controls/troubleshooting/#identity-provider-usergroup-info-error). ::: diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx index be19a27a928d9c9..7357b61108eb928 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx @@ -98,7 +98,7 @@ Follow these steps to publish an application to the Internet. If you are looking }} /> :::note - If you add a multi-level subdomain (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/faq/troubleshooting/#i-see-this-site-cant-provide-a-secure-connection). + If you add a multi-level subdomain (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/#i-see-this-site-cant-provide-a-secure-connection). ::: Your ingress rules must include a catch-all rule at the end. In this example, `cloudflared` will respond with a 404 status code when the request does not match any of the previous hostnames. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx index 740385045258554..36328414b54937c 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors.mdx @@ -7,7 +7,7 @@ sidebar: import { GlossaryTooltip, Render } from "~/components"; -This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/), view your [Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/), or [contact Cloudflare Support](/support/contacting-cloudflare-support/). +This section covers the most common errors you might encounter when connecting resources with Cloudflare Tunnel. If you do not see your issue listed below, refer to [Troubleshooting Cloudflare One](/cloudflare-one/troubleshooting/), view your [Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/), or [contact Cloudflare Support](/support/contacting-cloudflare-support/). ## Tunnel status @@ -53,6 +53,12 @@ To ping an IP address behind Cloudflare Tunnel, your system must allow ICMP traf This error occurs when you try to add a CIDR route that falls within the Cloudflare One Client's CGNAT IP range. The `100.96.0.0/12` range, which covers addresses from `100.96.0.1` to `100.111.255.254`, is reserved for internal WARP routing and cannot be added as a Cloudflare Tunnel route. To connect your private network, you will need to change its IP/CIDR so that it does not overlap with `100.96.0.0/12`. -## Troubleshooting +## I see `This site can't provide a secure connection.` + +If you see an error with the title `This site can't provide a secure connection` and a subtitle of ` uses an unsupported protocol`, you must [order an Advanced Certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate). + +If you added a [multi-level subdomain](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-connect-an-application) (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/#2a-connect-an-application) as Cloudflare's Universal certificate will not cover the public hostname by default. + + +For more information on Tunnel errors, view your [Tunnel logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/monitor-tunnels/logs/) or [contact Cloudflare Support](/support/contacting-cloudflare-support/). -[Troubleshooting](/cloudflare-one/faq/troubleshooting/) - Browse other Cloudflare One-related troubleshooting errors and solutions. diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/index.mdx index 1dd6edca659a470..f325314af627de7 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/index.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/index.mdx @@ -3,9 +3,10 @@ pcx_content_type: navigation title: Troubleshoot tunnels sidebar: order: 10 - --- import { DirectoryListing } from "~/components" +Explore resources to help you resolve issues with Cloudflare Tunnel connectivity and configuration. + diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx index 7a0ba9f511e0608..e455997c3de41a7 100644 --- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx +++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access.mdx @@ -196,7 +196,7 @@ The following SSH features are not supported: ### Session duration -SSH sessions have a maximum expected duration of 10 hours. For more information, refer to the [Troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/#long-lived-ssh-sessions-frequently-disconnect). +SSH sessions have a maximum expected duration of 10 hours. For more information, refer to [Troubleshoot Access](/cloudflare-one/access-controls/troubleshooting/#long-lived-ssh-sessions-disconnect). ## Troubleshooting diff --git a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx index 915be2628c81ebc..0c15ffaa22c08c2 100644 --- a/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx +++ b/src/content/docs/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/index.mdx @@ -546,7 +546,7 @@ Each type of proxy endpoint supports the following features: ### Session duration -All connections proxied through Cloudflare Gateway have a maximum guaranteed duration of 10 hours. For more information, refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#long-lived-ssh-sessions-frequently-disconnect). +All connections proxied through Cloudflare Gateway have a maximum guaranteed duration of 10 hours. For more information, refer to [Troubleshooting](/cloudflare-one/access-controls/troubleshooting/#long-lived-ssh-sessions-disconnect). ### Gateway DNS and resolver policies diff --git a/src/content/docs/cloudflare-one/networks/routes/add-routes.mdx b/src/content/docs/cloudflare-one/networks/routes/add-routes.mdx index ed85d8ffb71defe..79d645a74f2aaa0 100644 --- a/src/content/docs/cloudflare-one/networks/routes/add-routes.mdx +++ b/src/content/docs/cloudflare-one/networks/routes/add-routes.mdx @@ -72,7 +72,7 @@ To add a published application route to an existing tunnel: 4. Enter a subdomain and select a **Domain** from the drop-down menu. Specify any subdomain or path information. :::note - If you add a multi-level subdomain (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/faq/troubleshooting/#i-see-this-site-cant-provide-a-secure-connection). + If you add a multi-level subdomain (more than one level of subdomain), you must [order an Advanced Certificate for the hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/common-errors/#i-see-this-site-cant-provide-a-secure-connection). ::: 5. Under **Service**, choose a [service type](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/protocols/) and specify its URL. For example: diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx index 00480d707409496..6bf66f67b92de47 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx @@ -18,3 +18,8 @@ Available as an add-on to Zero Trust Pay-as-you-go and Enterprise plans. ## Privacy Cloudflare Browser Isolation is a security product. In order to serve transparent isolated browsing and block web based threats our network decrypts Internet traffic using the [Cloudflare root CA](/cloudflare-one/team-and-resources/devices/user-side-certificates/). Traffic logs are retained as per the [Zero Trust](/cloudflare-one/insights/logs/) documentation. + +## Troubleshooting + +For help resolving common issues with Browser Isolation, refer to [Troubleshoot Browser Isolation](/cloudflare-one/remote-browser-isolation/troubleshooting/). + diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx index 32a55e659dc377c..117ca552e74205f 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/known-limitations.mdx @@ -19,7 +19,7 @@ Below, you will find information regarding the current limitations for Browser I Our Network Vector Rendering (NVR) technology allows us to deliver a secure remote computing experience without the bandwidth limitations of video streams. While we expect most websites to work perfectly, some browser features and web technologies are unsupported and will be implemented in the future: - Webcam and microphone support is unavailable. -- Websites that use WebGL may not function. To turn off WebGL in the browser, refer to [WebGL Rendering Error](/cloudflare-one/faq/troubleshooting/#i-see-webgl-rendering-error). +- Websites that use WebGL may not function. To turn off WebGL in the browser, refer to [WebGL Rendering Error](/cloudflare-one/remote-browser-isolation/troubleshooting/#webgl-rendering-error). - Netflix and Spotify Web Player are unavailable. - H.265/HEVC is not a supported video format at this time. diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx index 0111fe3139048c2..b036824ed3e79ad 100644 --- a/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation.mdx @@ -171,4 +171,4 @@ If you want to isolate a website without the Cloudflare One Client installed, yo Review troubleshooting guidance related to Clientless Web Isolation. -- [Clientless Web Isolation is loading a blank screen on a Windows device](/cloudflare-one/faq/troubleshooting/#clientless-web-isolation-is-loading-with-a-blank-screen-on-a-windows-device) +- [Clientless Web Isolation is loading a blank screen on a Windows device](/cloudflare-one/remote-browser-isolation/troubleshooting/#blank-screen-on-windows) diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/troubleshooting.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/troubleshooting.mdx new file mode 100644 index 000000000000000..f72f55b9ff28bed --- /dev/null +++ b/src/content/docs/cloudflare-one/remote-browser-isolation/troubleshooting.mdx @@ -0,0 +1,17 @@ +--- +title: Troubleshoot Browser Isolation +pcx_content_type: troubleshooting +sidebar: + order: 10 +description: Resolve common issues with Cloudflare Browser Isolation, including session limits, rendering errors, and WebGL support. +--- + +import { Render } from "~/components"; + + + +--- + +## How to contact Support + +If you cannot resolve the issue, [open a support case](/support/contacting-cloudflare-support/). For RBI issues, it is helpful to provide the **Ray ID** from any error page and a description of the browser you are using. diff --git a/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx index 402d3b3d3d181db..74cd883fc85100d 100644 --- a/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx +++ b/src/content/docs/cloudflare-one/reusable-components/custom-pages/gateway-block-page.mdx @@ -125,7 +125,7 @@ If your users receive a security risk warning in their browser when visiting a b - Display an **HTTP Response Code: 526** error page, indicating an insecure upstream. - Close the connection and fail to display any pages. -For more information on fixing certificate issues, refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning). +For more information on fixing certificate issues, refer to [Troubleshooting](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#browser-and-certificate-issues). ### Incompatible DNS record types diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx index 7bb65035f5abac9..e83a64ae9140a3d 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/index.mdx @@ -49,9 +49,9 @@ As admin, you can set a **Timeout** to define how long a user can toggle the cli :::caution[Troubleshooting] -To learn more about override code timeouts and how Cloudflare calculates an override code's valid duration, refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#i-entered-an-override-code-for-the-cloudflare-one-client-that-was-supposed-to-be-valid-for-3-hours-but-the-override-code-expired-faster-than-i-expected). +To learn more about override code timeouts and how Cloudflare calculates an override code's valid duration, refer to [Troubleshooting](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#admin-override-codes-expired). -If [Auto connect](#auto-connect) is enabled, the Cloudflare One Client will automatically reconnect, according to the value set for the auto connect timeout, even when using **Allow admin override codes**. Refer to [Troubleshooting](/cloudflare-one/faq/troubleshooting/#i-disabled-the-cloudflare-one-client-using-an-override-code-but-it-turned-on-by-itself-before-my-override-code-expired) for more information. +If [Auto connect](#auto-connect) is enabled, the Cloudflare One Client will automatically reconnect, according to the value set for the auto connect timeout, even when using **Allow admin override codes**. Refer to [Troubleshooting](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#admin-override-codes-expired) for more information. ::: diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues.mdx index aa9e6d1bbd35cea..e0f3fdc7cf12743 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues.mdx @@ -1,198 +1,88 @@ --- -pcx_content_type: reference title: Common issues +pcx_content_type: reference sidebar: order: 1 --- -import { Render } from "~/components"; +import { Render, Tabs, TabItem } from "~/components"; -This section covers the most common issues you might encounter as you deploy the Cloudflare One Client (formerly WARP) in your organization, or turn on new features that interact with the client. If you do not see your issue listed below, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/) or [contact Cloudflare Support](/support/contacting-cloudflare-support/). +This section covers the most common issues you might encounter as you deploy the Cloudflare One Client (formerly WARP) in your organization, or turn on new features that interact with the client. -## Unable to connect the Cloudflare One Client +## Connectivity and registration +### Stuck on "Disconnected" or frequent flapping If the Cloudflare One Client is stuck in the `Disconnected` state or frequently changes between `Connected` and `Disconnected`, this indicates that the client cannot establish a connection to Cloudflare's global network. -
- -![Example of Cloudflare One Client UI when unable to connect](~/assets/images/cloudflare-one/connections/warp-stuck-on-disconnected.png) - -
- -_Note: Labels in this image may reflect a previous product name._ - In your [client diagnostic logs](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/), `daemon.log` will typically show one or more of the following errors: -- Happy Eyeball checks failing: - - ```txt - ERROR main_loop: warp::warp::happy_eyeballs: Happy eyeballs error Custom { kind: NotConnected, error: "All Happy Eyeballs checks failed" } - ``` - -- Many other checks timing out: - - ```txt - ERROR warp::warp::connectivity_check: DNS check failed error=ResolveError { kind: Timeout } - WARN warp::warp::connectivity_check: Tunnel trace failed request::Error { kind: Request, url: Url { scheme: "https", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("connectivity.cloudflareclient.com")), port: None, path: "/cdn-cgi/trace", query: None, fragment: None }, source: TimedOut } - ``` - -Here are the most common reasons why this issue occurs: - -### A third-party service is blocking the Cloudflare One Client - -A third-party service (such as a hardware or software firewall, router, MDM/group policy configuration, or other networking interface) may have a security policy in place which blocks the Cloudflare One Client from connecting. - -#### Solution - -Configure the third-party service to exempt the [IP addresses required by WARP](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/). - -### A third-party VPN is interfering with the Cloudflare One Client - -The most common places we see interference with the Cloudflare One Client from VPNs are: - -- **Control of traffic routing:** In `daemon.log`, you will see a large number of routing table changes. For example, - - ```txt - DEBUG warp::warp_service: Routes changed: - Added; Interface: 8; Destination: 10.133.27.201/32; Next hop: 100.64.0.2; - Added; Interface: 8; Destination: 10.133.27.202/32; Next hop: 100.64.0.2; - DEBUG warp::warp_service: Routes changed: - Added; Interface: 8; Destination: 10.133.27.203/32; Next hop: 100.64.0.2; - Added; Interface: 8; Destination: 10.133.27.204/32; Next hop: 100.64.0.2; - DEBUG warp::warp_service: Routes changed: - Added; Interface: 8; Destination: 10.133.27.205/32; Next hop: 100.64.0.2; - ``` - - This indicates that a third-party VPN is fighting the Cloudflare One Client for control over the routing table. - -- **Control of DNS:** In `daemon.log`, you will see a large number of DNS changes followed by this warning: - - ```txt - WARN main_loop: warp::warp_service: Reinforcing DNS settings. Is something else fighting us? - ``` - - The daemon may also note that some other process has already bound to the UDP and TCP sockets: - - ```txt - WARN warp::warp: Unable to bind local UDP socket error=Os { code: 48, kind: AddrInUse, message: "Address already in use" } sockaddr=127.0.2.2:53 - WARN warp::warp: Unable to bind local TCP socket error=Os { code: 48, kind: AddrInUse, message: "Address already in use" } sockaddr=127.0.2.2:53 - ``` - -To confirm that the VPN is the source of the issue, temporarily uninstall (not disable or disconnect) the VPN. - -#### Solution - -1. Disable all DNS enforcement on the VPN. The Cloudflare One Client must be the last client to touch the primary and secondary DNS server on the default interface. -2. In [Cloudflare One](https://one.dash.cloudflare.com/), create a [Split Tunnel rule](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) to exclude the VPN server you are connecting to (for example, `vpnserver.3rdpartyvpn.example.com`). -3. Configure your VPN to only include routes to your internal resources. Make sure that the VPN routes do not overlap with the routes [included in the WARP tunnel](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/). - -For more information, refer to our [guide](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/vpn/) for running VPNs alongside the Cloudflare One Client. - -### Your ISP or country is blocking the Cloudflare One Client - -Some countries explicitly block the use of VPN or VPN-like software that intentionally encrypts traffic. These blocks are often inconsistently enforced and you may sometimes see successful connections. +- Happy Eyeball checks failing: `All Happy Eyeballs checks failed`. +- Connectivity checks timing out for `connectivity.cloudflareclient.com`. -If you suspect your country may be blocking client traffic, contact your ISP to verify. +**Common causes**: +- **Firewall blocks**: A local or network firewall is blocking the [required IP addresses](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/). +- **VPN interference**: A third-party VPN is fighting for control over the routing table or DNS. Refer to the [VPN compatibility guide](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/vpn/). +- **ISP blocks**: Your country or ISP may be explicitly blocking client traffic. -### (Mac/Linux) The device's `/etc/resolv.conf` file has an invalid character +### Registration error (Authentication Expired) +When registering the client, you may see `Authentication Expired` or `Registration error. Please try again later`. -The Cloudflare One Client cannot parse `resolv.conf` files which contain an invalid hostname. In `daemon.log`, you will see an `unrecognized char` warning: +**Common causes**: +- **System clock out of sync**: Your computer system clock must be properly synced via NTP. If your clock is off by more than 20 seconds, the authentication token (JWT) will be invalid. +- **Prompt timeout**: You must complete the registration in your browser and return to the client within one minute of the prompt. -```txt -WARN main_loop: warp::warp_service: Tunnel connection experienced error error=Custom { kind: Other, error: ProtoError { kind: Msg("unrecognized char: ") } } -``` +### (Linux) DNS connectivity check failed +This error often means that `systemd-resolved` is not allowing the client to resolve DNS requests. In `daemon.log`, you will see `DNS connectivity check failed to resolve host="warp-svc."`. -#### Solution +**Solution**: +1. Add `ResolveUnicastSingleLabel=yes` to `/etc/systemd/resolved.conf`. +2. Ensure no other DNS servers are explicitly configured in that file. +3. Restart the service: `sudo systemctl restart systemd-resolved.service`. -1. Open the `/etc/resolv.conf` file on your device. -2. In the `search` directives, check for invalid URL characters such as `!@#$%^&*()<>?`. -3. Remove the invalid lines and rely on the Cloudflare One Client and Gateway for DNS services. +### (Mac/Linux) Invalid character in resolv.conf +The client cannot parse `resolv.conf` files containing invalid characters like `!@#$%^&*()<>?` in `search` directives. Remove these characters to restore service. -## Connected the Cloudflare One Client and can no longer browse the Internet +## Browser and certificate issues -If the Cloudflare One Client shows as `Connected` but you cannot reach any websites or internal resources, this is likely due to one of the following configuration issues. +### "Your connection is not private" or untrusted warnings +Advanced security features require the [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) to be trusted on the device. -### A Gateway firewall policy is blocking traffic +- **Chrome/Edge**: These browsers cache certificates. If you installed the certificate while the browser was running, you must restart the browser. +- **Root certificate expiry**: The default Cloudflare root certificate expired on February 2, 2025. If you are seeing errors, [generate and activate a new certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/#generate-a-cloudflare-root-certificate) in the dashboard. -A misconfigured Gateway firewall policy can result in traffic to some or all sites being restricted. +### 2025 Certificate migration +Starting with version 2024.12.554.0, the client can automatically install new certificates as soon as they are **Available** in the dashboard. For older versions, certificates had to be marked **In-Use** first. Ensure **Install CA to system certificate store** is enabled in your [Device settings](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/). -#### Solution +## Windows-specific issues - +### Windows shows "No Internet access" +This is often a cosmetic error with Windows Network Connectivity Status Indicator (NCSI). Apps like Outlook or JumpCloud may refuse to connect because of this status. -### The device does not have a root certificate installed +**Solution**: +Configure NCSI to detect the client's local DNS proxy and use active probing by setting these registry keys to `1`: +- `HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator\UseGlobalDNS` +- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActiveProbing` -Installing and trusting a [root CA](/cloudflare-one/team-and-resources/devices/user-side-certificates/) is a necessary step to enable advanced security features such as Browser Isolation, [TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/), AV scanning, and device posture. +### Setup Wizard ends prematurely +This usually indicates a missing dependency, such as .NET Framework `4.7.2` or later. Legacy systems (like Windows 10 Enterprise 1607) may require a manual update of the [.NET Framework Runtime](https://dotnet.microsoft.com/en-us/download/dotnet-framework/net472). -If the root CA is not installed on the device, you will see untrusted certificate warnings on every website. Example warnings include `Certificate not trusted`, `Not trusted identity` or `SSL Error`. +## Other environment issues -#### Solution +### WSL2 connectivity +If WSL2 loses connectivity, check your [split tunnel configuration](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/). The IP range used by WSL to communicate with the host may be accidentally included in the tunnel. Exclude the WSL network range to restore connectivity. -[Install a Cloudflare certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/) on all of your devices, or [upload your own certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/) to Cloudflare. +### SMTP port 25 blocked +By default, the client blocks outgoing traffic on port `25` to prevent spam. Use port `587` or `465` for encrypted email, or contact your account team to request an unblock. -:::note +### Admin override codes expired +[Admin override codes](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) are time-sensitive and adhere to fixed-hour blocks. A code generated at 9:30 AM with a 1-hour timeout will expire at 10:00 AM because its validity is counted within the 9:00 AM-10:00 AM window. -More and more applications (including browsers) are relying on their own certificate stores. In addition to ensuring a root certificate is trusted at the device level, you may also need to [add the certificate to individual applications](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications). For example, to use Firefox on Linux, you must install the certificate on both the system and on Firefox. - -::: - -### A third-party security product is interfering with Gateway - -The Cloudflare One Client does not allow third-party DLP or proxy services to perform TLS decryption on traffic sent to Gateway. - -To diagnose the issue, go to `https://zero-trust-client.cloudflareclient.com/v0/client_config` and verify the certificate the HTTPS traffic is signed with. If the certificate is issued by your organization or a third-party service, the third-party service is performing TLS decryption on client traffic and re-signing with a certificate that we do not trust. - -#### Solution - -In the third-party security product, disable HTTPS inspection and TLS decryption for the [WARP IP addresses](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/firewall/). - -### Docker container is failing DNS resolution - -If you are using the Cloudflare One Client and running a CI/CD pipeline inside a Docker container on Microsoft hardware to provide GitHub Actions with an egress IP, your container's `/etc/resolv.conf` file might be injecting a [custom nameserver with the IP address `168.63.129.16`](https://learn.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16) (specific to Azure infrastructure.) -The `168.63.129.16` IP address is only accessible to Azure VMs and causes the container's traffic to fail when routed through the WARP tunnel. - -#### Solution - -To fix this issue, you must exclude the Azure-specific nameserver IP (`168.63.129.16`) from being routed through WARP tunnel. Refer to [Split Tunnels](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/#change-split-tunnels-mode) and follow the instructions to exclude the Azure-specific IP. - -## Cannot connect to a specific app or website - -Below are the most common reasons why connecting the Cloudflare One Client blocks a specific application from loading. - -### TLS Decryption is enabled and the app or site does certificate pinning - -Some applications do not support SSL inspection or are otherwise [incompatible with TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/#inspection-limitations). Gateway provides a [list of applications known to perform certificate pinning](/cloudflare-one/traffic-policies/application-app-types/#do-not-inspect-applications). - -#### Solution (if the app has a private certificate store) - -Applications such as Firefox, Docker, Python, and npm rely on their own certificate store and the Cloudflare root certificate must be trusted in each. - -Refer to [our instructions](/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/#add-the-certificate-to-applications) for adding a root certificate to common applications. For applications not on our list, try searching the Internet for ` proxy support` or ` proxy certificate`. - -#### Solution (last resort) - -If you cannot install the certificate on the application, create a [Do Not Inspect policy](/cloudflare-one/traffic-policies/http-policies/#do-not-inspect) to exclude the application from Gateway inspection. - -### A Gateway firewall policy is blocking the app or site - -You may have a Gateway DNS, Network, or HTTP in place that accidentally blocks a port, IP, or domain that the app or site relies on. - -#### Solution - - - -### Split Tunnel settings are misconfigured for the app or site - -Some applications require traffic to flow either all inside or all outside of the WARP tunnel. For instance, in order to use AirDrop or communicate with a local printer, traffic must be outside the tunnel. For applications like Microsoft Teams to function properly, all Microsoft Teams traffic must be either fully inside the tunnel or fully outside the tunnel. - -#### Solution - -1. Determine the IP addresses and/or domains required for your application to function. Common Internet search terms include ` split tunnel list`, ` allow list`, or ` firewall ips`. -2. In [Cloudflare One](https://one.dash.cloudflare.com/), go to your [Split Tunnel settings](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/). -3. Depending on the application, either include or exclude all of the necessary IPs and/or domains. For Microsoft applications, we provide a [one-click action](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#directly-route-microsoft-365-traffic) to exclude all Microsoft 365 IPs. +--- -## Troubleshooting +## Next steps -- [Troubleshooting](/cloudflare-one/faq/troubleshooting/) - Browse other Cloudflare One-related troubleshooting errors and solutions. +- [Diagnostic logs](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/) - Learn how to collect logs for support. +- [Known limitations](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/known-limitations/) - Review unsupported features and environments. +- [Troubleshooting Cloudflare One](/cloudflare-one/troubleshooting/) - View troubleshooting guides for other products. diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/index.mdx index 94bac97b1302951..c602fb524f71c2a 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/index.mdx @@ -10,4 +10,6 @@ sidebar: import { DirectoryListing } from "~/components"; +Explore guides to resolve common connectivity and configuration issues with the Cloudflare One Client (formerly WARP). + diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide.mdx index d43e0ea9e31ca92..1ed23c2edcfaf59 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide.mdx @@ -6,513 +6,6 @@ sidebar: label: Troubleshooting guide --- -import { - MetaInfo, - Render, - Steps, - Stream, - Tabs, - TabItem, - Type, -} from "~/components"; +import { Render } from "~/components"; -This guide helps you diagnose and resolve common issues with the Cloudflare One Client (formerly WARP). It covers how to troubleshoot the Cloudflare One Client on desktop operating systems, including Windows, macOS, and Linux. - -1. **Before you start**: [Prerequisites](#prerequisites), permissions, [version control](#check-your-client-version), and client basics. -2. **Collect logs**: Through [Cloudflare One](#option-a-collect-logs-via-the-cloudflare-dashboard) (with DEX remote capture) or the [command-line interface](#option-b-collect-logs-via-the-cli) (CLI) (`warp-diag`). -3. **Review logs**: [Status](#check-client-status), [settings](#check-client-settings), [profile ID](#profile-id), [split tunnel](#exclude-mode-with-hostsips) configuration, and other settings. -4. **Fix common misconfigurations**: [Profile mismatch](#wrong-profile-id), [split tunnel issues](#wrong-split-tunnel-configuration), [managed network issues](#review-your-managed-network-settings), [user group mismatch](#check-a-users-group-membership). -5. **File a support ticket**: [How to file a ticket](#5-file-a-support-ticket) after you have exhausted your troubleshooting options. - -:::note[AI-assisted troubleshooting] - -Cloudflare One includes two free AI helpers to speed up Cloudflare One Client investigations: - -[**WARP Diagnostics Analyzer**](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diagnostics-analyzer-beta) - Uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. This analyzer is available for logs collected via the dashboard. - -[**DEX MCP server**](/cloudflare-one/insights/dex/dex-mcp-server/) — An AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly@acme.com", and receive an answer that contains data from the DEX API. - -::: - -## 1. Before you start - -### Prerequisites - -- You must have completed the [Zero Trust onboarding flow](/cloudflare-one/setup/) with a Zero Trust organization created. -- You must have the Cloudflare One Client installed on an end user device. -- You must have a [role](/cloudflare-one/roles-permissions/) that gives admin permission to access logs on the Cloudflare dashboard. - -### Check your client version - -Many troubleshooting issues are caused by outdated client versions. For the best performance and compatibility, administrators should check for new releases and [update the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) before attempting to troubleshoot other issues. - -After updating the Cloudflare One Client, monitor the issue to see if it recurs. If the issue persists, continue with the troubleshooting guide. - -#### Via the device - - - - -1. Open the Cloudflare One Client on your desktop. -2. Select **About**. -3. Compare your device's version with the [latest version](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). - - - - - -4. Open the Cloudflare One Client on the desktop. -5. Select the gear icon. -6. Select **About WARP**. -7. Compare your device's version with the [latest version of the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). - - - - -#### Via the Cloudflare One dashboard - -1. Log into [Cloudflare One](https://one.dash.cloudflare.com/) > go to **Team & Resources** > **Devices** > **Your devices**. -2. Select the device you want to investigate. -3. Find the device's client version under **Client version** in the side menu. -4. Compare your device's version with the [latest version of the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). - -### Client basics - -Understand the Cloudflare One Client's architecture, installation paths, and modes to help you diagnose issues with greater accuracy. - - - -#### Client architecture - - - -#### Client installation details - - - -#### Client modes - -The Cloudflare One Client operates in several modes, each with different traffic handling capabilities: - - - -## 2. Collect diagnostic logs - -You can collect diagnostic logs in two ways: the [Cloudflare dashboard](#option-a-collect-logs-via-the-cloudflare-dashboard) or the [`warp-diag`](#option-b-collect-logs-via-the-cli) command-line interface (CLI). - -### Option A: Collect logs via the Cloudflare dashboard - -Collect client diagnostic logs remotely from the Cloudflare One dashboard by using Digital Experience Monitoring's (DEX) remote captures. - -:::tip[Best practice] - -To troubleshoot effectively, Cloudflare recommends reproducing the issue and noting your timestamps immediately before collecting logs. Though recreating the issue may not be possible in all cases, reproducing the issue right before diagnostic log collection or during the window that a packet capture (PCAP) is running will help you troubleshoot with greater visibility. - -Refer to [diagnostic log retention window](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#log-retention-window) to learn more. -::: - -#### Start a remote capture - - - -#### Check remote capture status - - - -#### Download remote captures - - - -After you have your diagnostic files, go to [Review key files](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#3-review-key-files) to continue troubleshooting. - -:::tip[AI-assisted troubleshooting] - -The [WARP Diagnostics Analyzer](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diagnostics-analyzer-beta) uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. - -After you run a [DEX remote capture](#option-a-collect-logs-via-the-cloudflare-dashboard) for client diagnostics: - -1. Go to **Insights** > **Digital experience** and select the **Diagnotics** tab. -2. Find your capture in the list of captures. -3. Select the three-dot icon next to **Status** > select **View WARP Diag** to generate an AI summary. - -This analyzer is available for logs collected via the dashboard. - -::: - -### Option B: Collect logs via the CLI - -Collect client diagnostic logs on your desktop using the `warp-diag` CLI. - - - -:::tip[Best practice] - -To troubleshoot effectively, Cloudflare recommends that you recreate the steps that cause the issue before running `warp-diag` and keep timestamps of your steps for review within the logs. - -::: - -After you have your diagnostic files, go to [Review key files](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#3-review-key-files) to continue troubleshooting. - -## 3. Review key files - -Client diagnostic logs capture the final Cloudflare One Client configuration and status on a device after all MDM policies and other software settings have been applied. Reviewing these logs can help you identify misconfigurations or unexpected behavior. - - - -### Check client status - -Open the `warp-status.txt` file to review the status of the Cloudflare One Client connection when the `warp-diag` was collected. A connected Cloudflare One Client will appear as: - -``` -Ok(Connected) -``` - -If the Cloudflare One Client is experiencing issues, the error will display in the Cloudflare One Client GUI on the device. Use the [Client errors](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/client-errors/) documentation to identify your error, its cause, and the solution. - -### Check client settings - -After you have checked client status, review the Cloudflare One Client's settings on the device to check if the expected configuration has been applied. Open the `warp-settings.txt` file to review the Cloudflare One Client settings. You will check the device's applied device profile and split tunnel configuration. - -#### Example `warp-settings.txt` file - -Find the client diagnostic logs on your desktop, and open the `warp-settings.txt` file. Review the following example `warp-settings.txt` file and the descriptions of its content below. - -```txt -Merged configuration: -(derived) Always On: true -(network policy) Switch Locked: false # If false, does not allow the user to turn off the WARP toggle and disconnect the WARP client -(network policy) Mode: WarpWithDnsOverHttps # The device's WARP mode, this mode is WARP with Gateway mode -(network policy) WARP tunnel protocol: WireGuard -(default) Disabled for Wifi: false -(default) Disabled for Ethernet: false -(reg defaults) Resolve via: 1xx0x1011xx000000000f0x00000x11.cloudflare-gateway.com @ [1xx.1xx.1x.1, 1x01:1x00:1x00::1xx1] # The SNI Cloudflare will use and the IP address for DNS-over-HTTPS (DoH) requests -(user set) qlog logging: Enabled -(default) Onboarding: true # If true, the user sees an onboarding prompt when they first install the WARP client -(network policy) Exclude mode, with hosts/ips: # Split tunnel configuration - 1xx.1xx.1xx.1xx/25 (zoom) -... - cname.user.net - -(network policy) Fallback domains: # Local domain fallback configuration - intranet -... - test -(not set) Daemon Teams Auth: false -(network policy) Disable Auto Fallback: false -(network policy) Captive Portal: 180 -(network policy) Support URL: my-organizations-support-portal.com # Your organization's support portal or IT help desk -(user set) Organization: Organization-Name -(network policy) Allow Mode Switch: true # The user is allowed to switch between WARP modes -(network policy) Allow Updates: false # WARP client will not perform update checks -(network policy) Allowed to Leave Org: true -(api defaults) Known apple connectivity check IPs: xx.xxx.0.0/16; -(network policy) LAN Access Settings: Allowed until reconnect on a /24 subnet # The maximum size of network that will be allowed when Access Lan is clicked. -(network policy) Profile ID: 000000x1-00x1-1xx0-1xx1-11101x1axx11 -``` - -:::tip[Quick debugging] - -The command `warp-cli settings` in a terminal will generate the same information that is present in the `warp-settings.txt` file. - -::: - -#### Contents of `warp-settings.txt` file - -Review the meanings of the fields in `warp-settings.txt` that are relevant to troubleshooting. - -##### Always On - -Refers to the current state of the connection toggle in the GUI. In the example file, the toggle is switched on. - -```txt -Always On: true -``` - -##### Switch Locked - -Refers to the [Lock WARP Switch](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-warp-switch) which allows the user to use the client's connection toggle and disconnect the client. In the example file, the value is `false` meaning the user is able to connect or disconnect at their discretion. - -```txt -Switch Locked: false -``` - -When the Lock WARP Switch is enabled (`true`), users will need an [admin override code](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) to temporarily disconnect the Cloudflare One Client on their device. - -##### Mode - -Refers to the [client mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) the device is using. In the example file, the client mode is `WarpWithDnsOverHttps` which is Traffic and DNS mode. Refer to the [client modes comparison matrix](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) to match your `warp-settings.txt` file's value with the mode name. - -```txt -Mode: WarpWithDnsOverHttps -``` - -##### Exclude mode, with hosts/ips - -Refers to your [split tunnel](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) settings. In the example file, the Cloudflare One Client is running in Exclude mode, meaning all traffic except for the traffic destined for these hosts and IPs will be sent through the WARP tunnel. The host `cname.user.net` and the IP `1xx.1xx.1xx.1xx/25 ` are both excluded from the WARP tunnel. - -```txt -Exclude mode, with hosts/ips: - 1xx.1xx.1xx.1xx/25 (zoom) -... - cname.user.net -``` - -:::note[Exclude mode versus Include mode] -`Exclude mode` means all traffic will be sent through the WARP tunnel except for the IPs and domains you specify. - - `Include mode` means only traffic destined to the IPs or domains you specify will be sent through the WARP tunnel. - -::: - -##### Fallback domains - -Refers to your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) settings. In the example file, the Cloudflare One Client lists `intranet` as a domain that will not be sent to Gateway for processing and will instead be sent directly to the configured fallback servers. - -```txt -(network policy) Fallback domains: - intranet -... -``` - -##### Allow Mode Switch - -Refers to the [Mode switch](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#mode-switch) setting. In the example file, the mode switch is enabled (`true`) which means the user has the option to switch between [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) mode and [Gateway with DNS-over-HTTPS (DoH)](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) mode. - -```txt -Allow Mode Switch: true -``` - -##### Allow Updates - -Refers to the [Allow updates](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-updates) setting. In the example file, the allow updates setting is set to `false` meaning that the user will not receive update notifications when a new version of the Cloudflare One Client is available and cannot update the client without administrator approval. - -```txt -Allow Updates: false -``` - -##### Allowed to Leave Org - -Refers to the [Allow device to leave organization](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-device-to-leave-organization) setting. In the example file, the value is set to `true` meaning the user can log out from your Zero Trust organization. - -```txt -Allowed to Leave Org: true -``` - -##### LAN Access Settings - -Refers to the [Allow users to enable local network exclusion](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) setting. When enabled, it allows users to temporarily access local devices (like printers) by excluding the detected local subnet from the WARP tunnel. This example indicates access is allowed until the next client reconnection, and only for subnets up to `/24`. - -```txt -LAN Access Settings: Allowed until reconnect on a /24 subnet -``` - -##### Profile ID - -Refers to the [Device profile](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) a device is using. In this example, the ID is `000000x1-00x1-1xx0-1xx1-11101x1axx11`. - -```txt -Profile ID: 000000x1-00x1-1xx0-1xx1-11101x1axx11 -``` - -## 4. Fix common misconfigurations - -To verify that the Cloudflare One Client is configured and working properly, review the following: - -1. Is the [wrong profile ID](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#edit-your-device-profile-match-rules) applied to the device? -2. Is the [wrong split tunnel configuration](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#wrong-split-tunnel-configuration) active on the device? - -### Wrong profile ID - -A profile ID is a unique identifier assigned to each [device profile](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) in the Cloudflare One dashboard, used to determine which configuration settings apply to a device. - -#### Check the applied device profile - -To check that the applied device profile is the intended device profile: - -1. Go to [Cloudflare One](https://one.dash.cloudflare.com/) > **Team & Resources** > **Devices** > **Device profiles** > **General profiles**. -2. Find and select the device profile intended for the device. -3. Under **Profile details**, compare the displayed **Profile ID** with the `Profile ID` in the `warp-settings.txt` file. - -If your organization has multiple device profiles defined in the Cloudflare One dashboard, a device may be matched to an unexpected profile because: - -- How [profile precedence](#review-profile-precedence) is configured. -- [Managed network](#review-your-managed-network-settings) issues (if you are using a managed network.) -- User group [mismatch](#check-a-users-group-membership). -- Lack of [precise match rules](#edit-your-device-profile-match-rules). - -#### Review profile precedence - - - -:::caution -Avoid [reordering profiles](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/#order-of-precedence) unless you are confident it will not affect other users. -::: - -#### Review your managed network settings - -A [managed network](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) is a network location that you define with a TLS endpoint, like a physical office. The Cloudflare One Client checks for this TLS endpoint to determine its location and apply the corresponding device profile. - -If the managed network is misconfigured or the TLS endpoint is unreachable, the device may fall back to an unintended profile. - -When troubleshooting the Cloudflare One Client for managed network issues: - -1. Verify the endpoint is reachable. - - The Cloudflare One Client connects to the TLS endpoint to identify the network. If the endpoint is down or unreachable, the Cloudflare One Client will fail to detect the network and apply the wrong profile. - - - - If the endpoint is down, you will receive a `Could not find certificate from ` response. - - If you received a returned SHA-256 fingerprint: - 1. Log into [Cloudflare One](https://one.dash.cloudflare.com/), and go to **Team & Resources** > **Devices** > **Device profiles**. - 2. Go to **Managed networks** > **Edit**. - 3. Compare the TLS Cert SHA-256 in the dashboard with the returned fingerprint in your terminal to ensure they match. - -2. Use a single profile for a single location. - - To simplify management and prevent errors, avoid creating multiple managed network profiles for the same location. For example, if you have multiple TLS endpoints in one office, link them all to a single device profile. This reduces the risk of a device matching an unintended profile due to a configuration error. - -#### Check a user's group membership - -If a user is having issues with a device profile, it may be because they are not part of the correct user group. This can happen when an organization is not using SCIM for automatic identity provider (IdP) updates. - -To check that the user belongs to the intended group: - -1. Log into [Cloudflare One](https://one.dash.cloudflare.com/) > go to **Team & Resources** > **Users**. -2. Select the user. -3. Under **User Registry Identity**, select the user's name. -4. The **Get-identity endpoint** lists all the groups the user belongs to. - -If the user was recently added to a group, they will need to update their group membership with Cloudflare Zero Trust. This can be accomplished by logging into the reauthenticate endpoint. - - - -#### Edit your device profile match rules - -To modify the match rules of a device profile, you will need to edit the device profile. To edit the device profile: - - - -:::note - -Identity-based selectors are only available if the user [enrolled the device](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) by logging in to an identity provider (IdP). - -::: - -### Wrong split tunnel configuration - - - -A misconfigured [split tunnel](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) can cause connectivity issues. - -For example, if you set your mode to Exclude IPs and domains and accidentally exclude an IP address needed by an application, that application may not work correctly. Similarly, in Include IPs and domains mode, forgetting to include a necessary IP or domain will cause traffic to bypass the Cloudflare One Client, and you will lose access to your Zero Trust security features. - -#### 1. Check the applied split tunnel configuration - -After downloading the client diagnostic logs, review that your configuration is working as intended: - -1. Open the `warp-settings.txt` file and find `Exclude mode, with hosts/ips:` or `Include mode, with hosts/ips:`. - - :::note[Exclude mode versus Include mode] - `Exclude mode` means all traffic will be sent through the WARP tunnel except for the IPs and domains you specify. - - `Include mode` means only traffic destined to the IPs or domains you specify will be sent through the WARP tunnel. - ::: - -2. Log into [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices** > **Device profiles** > **General profiles**. -3. Find and select the device profile intended for the device. -4. Select **Edit**. -5. Find **Split Tunnels** and note the mode you have selected > select **Manage**. -6. Cross-reference the IPs/hosts you have configured in the Cloudflare One dashboard with the IPs/hosts listed in `warp-settings.txt`. - -If your dashboard split tunnel configuration does not match your `warp-settings.txt` file configuration, you may need to force the Cloudflare One Client to [update its settings](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#update-the-warp-clients-settings). - -#### 2. Update the Cloudflare One Client's settings - -If the split tunnel configuration in `warp-settings.txt` does not match the dashboard, you can force the Cloudflare One Client to fetch the latest settings. - -This can be done by instructing the end user to [disconnect and reconnect the client](#option-a-disconnect-and-reconnect-the-client), or [reset their encryption keys](#option-b-reset-the-encryption-keys). - -Both methods update the client with the latest configuration. - -##### Option A: Disconnect and reconnect the client - - - - -1. On the end user device, open the Cloudflare One Client and select **Disconnect**. - -:::note[What if the end user cannot disconnect?] -If the end user does not see the [disconnect button](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-warp-switch), they will need to enter an [admin override code](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes). - -[Resetting the encryption keys](#option-b-reset-the-encryption-keys) may be a faster solution. -::: - -2. Select **Connect**. - - - - -1. On the end user device, open the Cloudflare One Client and disconnect. - -:::note[What if the end user cannot disconnect?] -If the end user's [connection toggle](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-warp-switch) is locked, they will need an [admin override code](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) to be able to disconnect. - -[Resetting the encryption keys](#option-b-reset-the-encryption-keys) may be a faster solution. -::: - -2. Reconnect the Cloudflare One Client. - - - - -The client will fetch new settings when it reconnects. - -##### Option B: Reset the encryption keys - -To reset the encryption keys on an end user's desktop: - - - -## 5. Get help - - + diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx index e05fc58c7f62156..40496b76c15f567 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate.mdx @@ -182,4 +182,4 @@ To use a custom root certificate you generated and uploaded to Cloudflare, refer ## Troubleshoot HTTP errors -If Gateway returns an **HTTP Response Code: 526** after deploying a custom certificate, you can [troubleshoot errors with our FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website). +If Gateway returns an **HTTP Response Code: 526** after deploying a custom certificate, you can [troubleshoot errors with Gateway](/cloudflare-one/traffic-policies/troubleshooting/#error-526-invalid-ssl-certificate). diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx index d4cfa381efb0f13..d25b2a176a1f5b2 100644 --- a/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx +++ b/src/content/docs/cloudflare-one/team-and-resources/devices/user-side-certificates/index.mdx @@ -14,7 +14,7 @@ Zero Trust [generates a unique root CA](#generate-a-cloudflare-root-certificate) :::caution[Default certificate expired on 2025-02-02] The default Cloudflare certificate expired on 2025-02-02 at 16:05 UTC. -Review how this change impacts certificate propagation to your end-user devices and how to address browser issues in [Troubleshooting](/cloudflare-one/faq/troubleshooting/#as-of-february-2-2025-my-end-user-devices-browser-is-returning-a-your-connection-is-not-private-warning). +Review how this change impacts certificate propagation to your end-user devices and how to address browser issues in [Troubleshooting](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#browser-and-certificate-issues). ::: ## Certificate status diff --git a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx index a9c4d767c53e80a..8a4d239e0e8f89f 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/http-policies/index.mdx @@ -57,7 +57,7 @@ The **Untrusted certificate action** determines how to handle insecure requests. | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Error | Display Gateway error page. Matches the default behavior when no action is configured. | | Block | Display [block page](/cloudflare-one/reusable-components/custom-pages/gateway-block-page/) as set in Cloudflare One. | -| Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. For more information on what statuses are bypassed, refer to the [troubleshooting FAQ](/cloudflare-one/faq/troubleshooting/#i-see-error-526-when-browsing-to-a-website). | +| Pass through | Bypass insecure connection warnings and seamlessly connect to the upstream. For more information on what statuses are bypassed, refer to [Troubleshooting Gateway](/cloudflare-one/traffic-policies/troubleshooting/#error-526-invalid-ssl-certificate). | ### Block diff --git a/src/content/docs/cloudflare-one/traffic-policies/index.mdx b/src/content/docs/cloudflare-one/traffic-policies/index.mdx index ba9752a4c4f78b3..165ffbabe3ce0c0 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/index.mdx +++ b/src/content/docs/cloudflare-one/traffic-policies/index.mdx @@ -99,3 +99,8 @@ The right policy type depends on the traffic you want to filter: | Assign static egress IPs | Egress | Lets third-party services identify your organization | | Drop traffic before other policies run | Packet filtering | Blocks by packet attributes without user context | | Route DNS to custom nameservers | Resolver | Overrides the default Cloudflare resolver | + +## Troubleshooting + +For help resolving common issues with Gateway policies, refer to [Troubleshooting](/cloudflare-one/traffic-policies/troubleshooting/). + diff --git a/src/content/docs/cloudflare-one/traffic-policies/troubleshooting.mdx b/src/content/docs/cloudflare-one/traffic-policies/troubleshooting.mdx new file mode 100644 index 000000000000000..b4e5e151e722798 --- /dev/null +++ b/src/content/docs/cloudflare-one/traffic-policies/troubleshooting.mdx @@ -0,0 +1,10 @@ +--- +title: Troubleshooting +pcx_content_type: troubleshooting +sidebar: + order: 16 +--- + +import { Render } from "~/components"; + + diff --git a/src/content/docs/cloudflare-one/troubleshooting/access.mdx b/src/content/docs/cloudflare-one/troubleshooting/access.mdx new file mode 100644 index 000000000000000..2c1759b25a6824a --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/access.mdx @@ -0,0 +1,20 @@ +--- +title: Access +pcx_content_type: navigation +sidebar: + order: 23 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More Access resources + +For more information, refer to the full Access troubleshooting guide. + + + Full Access troubleshooting guide ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/browser-isolation.mdx b/src/content/docs/cloudflare-one/troubleshooting/browser-isolation.mdx new file mode 100644 index 000000000000000..656795ce818e894 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/browser-isolation.mdx @@ -0,0 +1,20 @@ +--- +title: Browser Isolation +pcx_content_type: navigation +sidebar: + order: 29 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More Browser Isolation resources + +For more information, refer to the full Browser Isolation documentation. + + + Browser Isolation troubleshooting ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/casb.mdx b/src/content/docs/cloudflare-one/troubleshooting/casb.mdx new file mode 100644 index 000000000000000..e4c63a839adbf63 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/casb.mdx @@ -0,0 +1,20 @@ +--- +title: CASB +pcx_content_type: navigation +sidebar: + order: 27 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More CASB resources + +For more information, refer to the full CASB documentation. + + + CASB troubleshooting ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/contact-support.mdx b/src/content/docs/cloudflare-one/troubleshooting/contact-support.mdx new file mode 100644 index 000000000000000..b5b2a2b10286caf --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/contact-support.mdx @@ -0,0 +1,48 @@ +--- +title: Contact Cloudflare Support +pcx_content_type: how-to +sidebar: + order: 100 +--- + +import { Render } from "~/components"; + +If you cannot resolve an issue using our troubleshooting guides, you can [open a support case](/support/contacting-cloudflare-support/). + +To help us investigate your issue quickly, please collect and provide the following information when you contact Cloudflare Support. + +## 1. Gather general information + +For all issues, please include: + +- **Timestamp (UTC)**: The exact time the issue occurred. +- **Detailed description**: A clear description of the problem and the steps to reproduce it. +- **Actual vs. Expected**: What happened versus what you expected to happen. +- **Problem frequency**: How often does the issue occur? +- **Screenshots**: Any relevant screenshots or videos of the error. +- **Example URLs**: Specific URLs where the issue is occurring. + +## 2. Collect product diagnostics + +Depending on the product, providing diagnostic files is critical for a technical investigation. + +### Cloudflare One Client (WARP) +If the issue involves the Cloudflare One Client, run the `warp-diag` command on the affected device and attach the resulting `.zip` file to your case. For more information, refer to [Diagnostic logs](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/). + +### Cloudflare Tunnel +If the issue involves Cloudflare Tunnel, run the `cloudflared tunnel diag` command and provide the generated report. For more information, refer to [Tunnel diagnostic logs](/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/diag-logs/). + +### Access and Gateway +For issues related to authentication loops, blocked websites, or policy enforcement: + +- **HAR file**: Provide a [HAR file](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#generate-a-har-file) captured while reproducing the issue. +- **Ray ID**: If you see a Cloudflare error page, provide the **Ray ID** displayed at the bottom of the page. +- **Identity Provider logs**: Relevant logs from your identity provider (IdP) if the issue involves login failures. +- **Request ID**: For Gateway issues, you can find the `oxy.request_id` in your [Gateway logs](/cloudflare-one/traffic-policies/troubleshooting/). + +### Digital Experience Monitoring (DEX) +For issues with DEX tests or device monitoring, provide a [remote capture](/cloudflare-one/insights/dex/remote-captures/) from the Zero Trust dashboard. + +--- + +For more information, refer to [Contacting Cloudflare Support](/support/contacting-cloudflare-support/). diff --git a/src/content/docs/cloudflare-one/troubleshooting/dex.mdx b/src/content/docs/cloudflare-one/troubleshooting/dex.mdx new file mode 100644 index 000000000000000..5bc7e70935a06d2 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/dex.mdx @@ -0,0 +1,20 @@ +--- +title: DEX +pcx_content_type: navigation +sidebar: + order: 30 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More DEX resources + +For more information, refer to the full DEX documentation. + + + DEX troubleshooting ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/dlp.mdx b/src/content/docs/cloudflare-one/troubleshooting/dlp.mdx new file mode 100644 index 000000000000000..576e5717729c672 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/dlp.mdx @@ -0,0 +1,20 @@ +--- +title: DLP +pcx_content_type: navigation +sidebar: + order: 28 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More DLP resources + +For more information, refer to the full DLP documentation. + + + DLP troubleshooting ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/email-security.mdx b/src/content/docs/cloudflare-one/troubleshooting/email-security.mdx new file mode 100644 index 000000000000000..bab52c7cbed81ba --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/email-security.mdx @@ -0,0 +1,20 @@ +--- +title: Email Security +pcx_content_type: navigation +sidebar: + order: 31 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More Email Security resources + +For more information, refer to the full Email Security documentation. + + + Email Security troubleshooting ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/gateway.mdx b/src/content/docs/cloudflare-one/troubleshooting/gateway.mdx new file mode 100644 index 000000000000000..28df5b92572148e --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/gateway.mdx @@ -0,0 +1,20 @@ +--- +title: Gateway +pcx_content_type: navigation +sidebar: + order: 24 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More Gateway resources + +For more information, refer to the full Gateway troubleshooting guide. + + + Full Gateway troubleshooting guide ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/index.mdx b/src/content/docs/cloudflare-one/troubleshooting/index.mdx new file mode 100644 index 000000000000000..27e7443f7302423 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/index.mdx @@ -0,0 +1,28 @@ +--- +title: Troubleshooting Cloudflare One +pcx_content_type: navigation +sidebar: + order: 22 + label: Overview +description: Find troubleshooting guides for Cloudflare One products and learn how to collect information for Cloudflare Support. +--- + +import { LinkTitleCard, CardGrid, Render, LinkButton } from "~/components"; + +Explore troubleshooting resources for Cloudflare One products. + +## Product troubleshooting + + + + + + + + + + + + + + diff --git a/src/content/docs/cloudflare-one/troubleshooting/tunnel.mdx b/src/content/docs/cloudflare-one/troubleshooting/tunnel.mdx new file mode 100644 index 000000000000000..46596a6e74e2a32 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/tunnel.mdx @@ -0,0 +1,34 @@ +--- +title: Tunnel +pcx_content_type: navigation +sidebar: + order: 25 +--- + +import { Render, LinkButton } from "~/components"; + +Explore common issues and solutions for Cloudflare Tunnel. + + + +--- + +## More Tunnel resources + +For more information, refer to the full Tunnel troubleshooting guide. + + + Full Tunnel troubleshooting guide ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/wan/connectivity.mdx b/src/content/docs/cloudflare-one/troubleshooting/wan/connectivity.mdx new file mode 100644 index 000000000000000..75e92e328a0a145 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/wan/connectivity.mdx @@ -0,0 +1,31 @@ +--- +title: Connectivity +pcx_content_type: navigation +sidebar: + order: 35 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More WAN resources + +For more information, refer to the full Magic WAN documentation. + + + Full connectivity troubleshooting guide ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/wan/index.mdx b/src/content/docs/cloudflare-one/troubleshooting/wan/index.mdx new file mode 100644 index 000000000000000..74b4abb0a1588a9 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/wan/index.mdx @@ -0,0 +1,12 @@ +--- +title: Cloudflare WAN +pcx_content_type: navigation +sidebar: + order: 32 +--- + +import { DirectoryListing } from "~/components" + +Explore resources to help you resolve issues with Cloudflare WAN (Magic WAN) connectivity, routing, and tunnel health. + + diff --git a/src/content/docs/cloudflare-one/troubleshooting/wan/ipsec.mdx b/src/content/docs/cloudflare-one/troubleshooting/wan/ipsec.mdx new file mode 100644 index 000000000000000..5b61d06c2974ab0 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/wan/ipsec.mdx @@ -0,0 +1,20 @@ +--- +title: IPsec +pcx_content_type: navigation +sidebar: + order: 33 +--- + +import { Render, LinkButton } from "~/components" + + + +--- + +## More WAN resources + +For more information, refer to the full Magic WAN documentation. + + + Full IPsec troubleshooting guide ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/wan/routing-bgp.mdx b/src/content/docs/cloudflare-one/troubleshooting/wan/routing-bgp.mdx new file mode 100644 index 000000000000000..f42aed8d3fe834f --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/wan/routing-bgp.mdx @@ -0,0 +1,31 @@ +--- +title: Routing and BGP +pcx_content_type: navigation +sidebar: + order: 36 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More WAN resources + +For more information, refer to the full Magic WAN documentation. + + + Full routing and BGP guide ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/wan/tunnel-health.mdx b/src/content/docs/cloudflare-one/troubleshooting/wan/tunnel-health.mdx new file mode 100644 index 000000000000000..01d12132ae7c7c2 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/wan/tunnel-health.mdx @@ -0,0 +1,34 @@ +--- +title: Tunnel health +pcx_content_type: navigation +sidebar: + order: 34 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More WAN resources + +For more information, refer to the full Magic WAN documentation. + + + Full tunnel health guide ❯ + diff --git a/src/content/docs/cloudflare-one/troubleshooting/warp-client.mdx b/src/content/docs/cloudflare-one/troubleshooting/warp-client.mdx new file mode 100644 index 000000000000000..773a8ffa1847ea6 --- /dev/null +++ b/src/content/docs/cloudflare-one/troubleshooting/warp-client.mdx @@ -0,0 +1,20 @@ +--- +title: Cloudflare One Client +pcx_content_type: navigation +sidebar: + order: 26 +--- + +import { Render, LinkButton } from "~/components"; + + + +--- + +## More Client resources + +For more information, refer to the full Cloudflare One Client documentation. + + + Cloudflare One Client troubleshooting ❯ + diff --git a/src/content/partials/cloudflare-one/troubleshooting/access.mdx b/src/content/partials/cloudflare-one/troubleshooting/access.mdx new file mode 100644 index 000000000000000..46c7fa5d154480d --- /dev/null +++ b/src/content/partials/cloudflare-one/troubleshooting/access.mdx @@ -0,0 +1,55 @@ +Review common troubleshooting scenarios for Cloudflare Access. + +## Authentication and login + +### AJAX/CORS errors +Cloudflare Access requires that the `credentials: same-origin` parameter be added to JavaScript when using the Fetch API to include cookies. AJAX requests fail if this parameter is missing, resulting in an error such as `No Access-Control-Allow-Origin header is present on the requested resource`. For more information, refer to [CORS settings](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/). + +### SAML verification failure +The error `SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify` occurs when the identity provider (IdP) does not include the signing public key in the SAML response. Cloudflare Access requires the public key to match the **Signing certificate** uploaded to Zero Trust. Configure your IdP to include the public key in the response. + +### Identity provider user/group info error +The error `Failed to fetch user/group information from the identity provider` occurs when Cloudflare lacks the necessary API permissions to communicate with your IdP. Review the [SSO integration guide](/cloudflare-one/integrations/identity-providers/) for your specific IdP and ensure the application has the correct permissions (for example, Microsoft Entra or Okta). + +### Google Workspace redirect loop +If you place your Google Workspace behind Access, you cannot use Google or Google Workspace as an identity provider for that application. This creates an infinite redirect cycle because both systems depend on each other to complete the login. + +### Invalid session error +The error `Invalid session. Please try logging in again` indicates that Access was unable to validate your `CF_Session` cookie. This can happen if software or a firewall on your device interferes with requests to Access. Ensure that the same browser instance is used to both initiate and complete the sign-in. + +### Firefox Private Window +Firefox's default tracking prevention in Private Windows may prevent the `CF_authorization` cookie from being sent, especially for XHR requests. To resolve this, you may need to exempt your application domain and your [team domain](/cloudflare-one/glossary/#team-name) from tracking protection. + +### Workers routes on the login path +If you have a Cloudflare Worker route assigned to your application's login path, the Worker may overwrite the `cf-authorization` cookie. To prevent this, ensure your Worker script does not modify or strip the `Set-Cookie` header for Access cookies. + +## Identity providers + +### OTP email not received +If a user does not receive a one-time PIN (OTP) email: +- **Policy denial**: If the user's email address does not match any **Allow** policies for the application, Cloudflare will not send an OTP email. The login page will still display a message saying the email was sent to prevent account enumeration. +- **Email suppression**: The user's email may be on a suppression list due to previous delivery failures. Check your email logs or contact Support to clear suppressions. + +### Google Super Admin login +If you use Access as the SSO provider for your Google Workspace, Google Super Admins cannot sign in via Access when accessing `admin.google.com`. Google requires Super Admins to use their original Google password to ensure they can always access the admin console. + +### Missing SAML attributes +If you receive a `Required attributes are missing` error during SAML authentication, verify that your IdP is sending the mandatory **email** attribute. Additionally, check for typos in attribute names (for example, `groups` vs `gropus`) in your [IdP configuration](/cloudflare-one/integrations/identity-providers/). + +## Applications and certificates + +### SSH short-lived certificates +The error `Error 0: Bad Request. Please create a ca for application` appears if a certificate has not been generated for the Access application. Refer to [SSH short-lived certificates](/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy/) to generate a CA for the application. + +### SSH "Origin auth failed" +This error often indicates a configuration issue on the target server's SSH daemon (`sshd`): +- **SSHD config**: Verify that `PubkeyAuthentication` is set to `yes` and `TrustedUserCAKeys` points to the correct Cloudflare CA file. +- **Multiple auth methods**: Cloudflare Access for Infrastructure currently does not support `AuthenticationMethods` with multiple comma-separated requirements (for example, `publickey,keyboard-interactive`). + +### Team domain change error +The error `Access api error auth_domain_cannot_be_updated_dash_sso` occurs if you try to change your team domain while [Cloudflare dashboard SSO](/fundamentals/manage-members/dashboard-sso/) is enabled. Dashboard SSO does not currently support team domain changes. + +### Long-lived SSH sessions disconnect +All connections proxied through Cloudflare Gateway, including traffic to [Access for Infrastructure](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-infrastructure-access/) SSH targets, have a maximum guaranteed duration of 10 hours. If a connection is active during a Gateway release, it will be terminated 10 hours later. + +To prevent unexpected disconnects, we recommend terminating sessions on a predefined schedule (for example, an 8-hour idle timeout). You can configure this using `ChannelTimeout` in your SSH server or client configuration. diff --git a/src/content/partials/cloudflare-one/troubleshooting/browser-isolation.mdx b/src/content/partials/cloudflare-one/troubleshooting/browser-isolation.mdx new file mode 100644 index 000000000000000..a68729e1c588fba --- /dev/null +++ b/src/content/partials/cloudflare-one/troubleshooting/browser-isolation.mdx @@ -0,0 +1,33 @@ +Review common troubleshooting scenarios for Cloudflare Browser Isolation. + +## Connectivity and sessions + +### No Browsers Available +If you encounter a `No Browsers Available` alert, please file feedback via the Cloudflare One Client. This error typically indicates a temporary capacity issue in the data center or a connectivity problem between your client and the remote browser. + +### Maximum Sessions Reached +This alert appears if your device attempts to establish more than two concurrent remote browser instances. A browser isolation session is shared across all tabs and windows within the same browser (for example, all Chrome tabs share one session). You can use two different browsers (such as Chrome and Firefox) concurrently, but opening a third will trigger this alert. To release a session, close all tabs and windows in one of your local browsers. + +## Rendering and performance + +### WebGL Rendering Error +Cloudflare Browser Isolation uses Network Vector Rendering (NVR), which does not support WebGL (Web Graphics Library) in all environments. If a website requires WebGL and your device lacks the necessary hardware resources in the virtualized environment, you may see a rendering error. + +To resolve this, try enabling software rasterization in your browser: +1. Go to `chrome://flags/#override-software-rendering-list`. +2. Set **Override software rendering list** to *Enabled*. +3. Select **Relaunch**. + +### Blank screen on Windows +On Windows devices, Clientless Web Isolation may load with a blank screen if there is a conflict between browser mDNS settings and Windows IGMP configuration. + +| IGMPLevel | WebRTC Anonymization | Result | +| --------- | -------------------- | ------ | +| 0 (disabled) | Enabled / Default | ❌ Blank screen | +| 0 (disabled) | Disabled | ✅ Works | +| 2 (enabled) | Enabled / Default | ✅ Works | + +To fix this, either disable **Anonymize local IPs exposed by WebRTC** in your browser flags or ensure `IGMPLevel` is enabled (set to `2`) in your Windows network settings. + +### Rendering issues (CSS/Images) +If a website displays incorrectly (for example, broken CSS or missing images), it may indicate that the remote browser is unable to fetch specific resources from the origin server. Check your [Gateway HTTP logs](/cloudflare-one/traffic-policies/troubleshooting/) for any blocked subresources that might be required by the page. diff --git a/src/content/partials/cloudflare-one/troubleshooting/casb.mdx b/src/content/partials/cloudflare-one/troubleshooting/casb.mdx new file mode 100644 index 000000000000000..812e31a9e577986 --- /dev/null +++ b/src/content/partials/cloudflare-one/troubleshooting/casb.mdx @@ -0,0 +1,15 @@ +Use this guide to troubleshoot common issues with Cloud Access Security Broker (CASB). + +## Security findings + +### Findings not appearing +If you do not see findings for an integrated application: +- **Wait for scan**: Initial scans can take up to 24 hours depending on the size of the application. +- **Permissions**: Ensure the account used to integrate the application has the necessary administrative permissions. +- **Enabled status**: Verify that the integration is enabled in the Zero Trust dashboard. + +### False positives +If CASB flags a configuration that is intended for your organization: +1. Go to **CASB** > **Findings**. +2. Select the finding and choose **Dismiss**. +3. Provide a reason for dismissal to help refine future scans. diff --git a/src/content/partials/cloudflare-one/troubleshooting/dex.mdx b/src/content/partials/cloudflare-one/troubleshooting/dex.mdx new file mode 100644 index 000000000000000..d9f76c11a762d23 --- /dev/null +++ b/src/content/partials/cloudflare-one/troubleshooting/dex.mdx @@ -0,0 +1,22 @@ +Review common troubleshooting scenarios for Digital Experience Monitoring (DEX). + +## Data visibility + +### No data displayed for certain users +If you do not see DEX data for specific users in your organization, verify the following: + +- **Client version**: Ensure the users are running a version of the Cloudflare One Client that supports DEX. +- **DEX enabled**: Confirm that DEX is enabled for the [device profile](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) assigned to those users. +- **Traffic routing**: DEX requires that traffic to Cloudflare's orchestration API is not blocked by local firewalls or SSL-inspecting proxies. + +### Fleet status not updating +The Fleet status dashboard can take several minutes to reflect changes in device connectivity. If a device remains in an incorrect state, try disconnecting and reconnecting the Cloudflare One Client to force a status update. + +## Remote captures + +### Remote capture fails to start +Remote captures require the Cloudflare One Client to be connected and able to communicate with the Cloudflare control plane. If a capture fails to start: + +- Verify the device status in the Zero Trust dashboard. +- Ensure the device has sufficient disk space to store the capture files before upload. +- Check for any local firewall rules that might be blocking the capture command. diff --git a/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx b/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx similarity index 97% rename from src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx rename to src/content/partials/cloudflare-one/troubleshooting/dlp.mdx index b26a62bb91becc6..f5913c3f3fec336 100644 --- a/src/content/docs/cloudflare-one/data-loss-prevention/troubleshoot-dlp.mdx +++ b/src/content/partials/cloudflare-one/troubleshooting/dlp.mdx @@ -1,10 +1,3 @@ ---- -title: Troubleshoot DLP -pcx_content_type: troubleshooting -sidebar: - order: 5 ---- - import { Render } from "~/components"; Use this guide to troubleshoot common issues with Data Loss Prevention (DLP). diff --git a/src/content/partials/cloudflare-one/troubleshooting/email-security.mdx b/src/content/partials/cloudflare-one/troubleshooting/email-security.mdx new file mode 100644 index 000000000000000..77aac5be079b8ae --- /dev/null +++ b/src/content/partials/cloudflare-one/troubleshooting/email-security.mdx @@ -0,0 +1,49 @@ +Review common troubleshooting scenarios for Cloudflare Email Security. + +## Email headers and attributes + +Email Security identifies threats using detections that result in a final disposition. You can inspect email headers to understand why a specific disposition was applied. + +| Attribute | Description | +| --------- | ----------- | +| `CUSTOM_BLOCK_LIST` | Matches a value defined in your custom block list. | +| `NEW_DOMAIN_SENDER` | The email was sent from a newly registered domain. | +| `NEW_DOMAIN_LINK` | The email contains links to a newly registered domain. | +| `ENCRYPTED` | The email message is encrypted. | +| `BEC` | The sender address is in your [impersonation registry](/cloudflare-one/email-security/settings/detection-settings/impersonation-registry/). | + +## Detections and reclassification + +### Handle a false positive +A false positive occurs when a legitimate email is incorrectly flagged as malicious or spam. + +**Solution**: +1. In the Email Security dashboard, go to **Investigation**. +2. Find the email and select **Submit for reclassification**. +3. Choose the correct disposition (for example, `Clean`). +4. To prevent future blocks, add the sender to your [Acceptable Senders](/cloudflare-one/email-security/settings/detection-settings/allow-policies/) list. + +### Handle a false negative +A false negative occurs when a malicious email is not detected by Email Security. + +**Solution**: +1. Ensure the email actually passed through Email Security by checking for the `X-CFEmailSecurity-Disposition` header. +2. Submit the email for reclassification in the dashboard. This is the preferred method for reporting missed detections. + +## Authentication errors + +### DMARC failures +Email Security may mark an email as **SPAM** if it fails DMARC authentication and the sending domain has a `p=reject` or `p=quarantine` policy. + +**Solution**: +- Ask the sender to fix their DMARC/SPF/DKIM records. +- Configure an [Acceptable Sender](/cloudflare-one/email-security/settings/detection-settings/allow-policies/) entry to suppress the failure for that specific sender. + +## Delivery issues + +### Emails are delayed or not arriving +If emails are not being delivered or are arriving with significant latency: + +1. **Check MX records**: Ensure your [MX records](/cloudflare-one/email-security/setup/) are correctly configured and pointing to Cloudflare. +2. **Verify connectivity**: From your sending mail server, verify you can connect to Cloudflare's mailstream endpoints on port 25. +3. **Check outbound logs**: In the dashboard, use the **Mail Trace** feature to confirm if Email Security successfully delivered the email to your downstream mail server (for example, Google Workspace or Microsoft 365). diff --git a/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx b/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx similarity index 82% rename from src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx rename to src/content/partials/cloudflare-one/troubleshooting/gateway.mdx index e7b7f620ea3e405..7fc65d0caffe4a1 100644 --- a/src/content/docs/cloudflare-one/traffic-policies/troubleshoot-gateway.mdx +++ b/src/content/partials/cloudflare-one/troubleshooting/gateway.mdx @@ -1,17 +1,36 @@ ---- -title: Troubleshoot Gateway -pcx_content_type: troubleshooting -sidebar: - order: 16 ---- +This guide helps you troubleshoot common issues with Cloudflare Gateway policies. -import { TabItem, Tabs } from "~/components"; +## Blocked websites and connectivity -This guide helps you troubleshoot common issues with Cloudflare Gateway policies. The issues are ordered by the most frequent problems. +### A website is blocked incorrectly +If you believe a domain has been incorrectly blocked by Gateway's security categories or threat intelligence, you can use the [Cloudflare Radar categorization feedback form](https://radar.cloudflare.com/categorization-feedback/) to request a review. -## Egress policies do not work as expected +### Error 526: Invalid SSL certificate +Gateway presents a **526** error page when it cannot establish a secure connection to the origin. This typically occurs in two cases: -Egress policies are the most common category of issues for Gateway. Symptoms include traffic not using your dedicated egress IP, incorrect failover behavior, or high latency due to Gateway routing traffic through a distant data center. +- **Untrusted origin certificate**: The certificate presented by the origin server is expired, revoked, or issued by an unknown authority. +- **Insecure origin connection**: The origin does not support modern cipher suites or redirects all HTTPS requests to HTTP. + +For more information, refer to [Error 526](/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/). + +### Error 502: Bad Gateway +This issue can occur when communicating with an origin that partially supports HTTP/2. If the origin requests a downgrade to HTTP/1.1 (for example, via a `RST_STREAM` frame with `HTTP_1_1_REQUIRED`), Gateway will not automatically reissue the request over HTTP/1.1 and will instead return a `502 Bad Gateway`. To resolve this, disable HTTP/2 at the origin server. + +### Untrusted certificate warnings +If users see certificate warnings for every page, ensure that the [Cloudflare root certificate](/cloudflare-one/team-and-resources/devices/user-side-certificates/) is installed and trusted on their devices. This is required for Gateway to inspect HTTPS traffic. + +## Dashboard and analytics + +### Gateway analytics not displayed +If you do not see analytics on the Gateway Overview page: + +- **Verify DNS traffic**: Ensure your devices are actually sending queries to Gateway. Check your [DNS locations](/cloudflare-one/connections/connect-devices/agentless/dns/) and verify the source IPv4 address. +- **Check other resolvers**: Ensure that no other DNS resolvers are configured on the device, as they might be bypassing Gateway. +- **Wait for processing**: It can take up to 5 minutes for analytics to appear in the dashboard. + +## Egress policies + +Egress policies symptoms include traffic not using your dedicated egress IP, incorrect failover behavior, or high latency due to Gateway routing traffic through a distant data center. ### Symptom: traffic is not using your dedicated egress IP @@ -36,14 +55,12 @@ Your primary dedicated egress IP becomes unavailable, but instead of using your Gateway routes your users in one country (such as Australia) through a dedicated egress IP located in another region (such as Germany), causing high latency and breaking access to geo-restricted content. -Common causes and solutions: - | Common cause | Solution | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Single egress policy | You may have one broad egress policy that applies to all users regardless of their location. Create location-aware egress policies. Use the _User Location_ selector in your policy to tie specific user locations to their nearest dedicated egress IP. For example, create one policy for when _User Location_ is `United Kingdom`, egress via London IP; create a second policy for when _User Location_ is `Australia`, egress via Sydney IP. | | Incorrect geolocation data | The IP address of the user's ISP may not be correctly geolocated. Check the user's location as seen by Cloudflare in the Gateway logs. If it appears incorrect, you can report it to Cloudflare Support. | -## Gateway does not apply policies in the correct order +## Policy precedence A common point of confusion is how Gateway evaluates its different policy types and the rules within them. @@ -55,7 +72,7 @@ The most important concept is [Gateway policy precedence](/cloudflare-one/traffi To resolve Gateway policy precedence issues: -1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies**. +1. In [Cloudflare One](https://one.dash.cloudflare.com), go to **Traffic policies** > **Firewall policies**. 2. Review the order of your DNS, Network, and HTTP policies. 3. Ensure that your most specific Allow, Do Not Scan, or Do Not Inspect policies have a lower order number than your general Block policies. 4. Drag and drop policies to reorder them as needed. An Allow policy for `teams.microsoft.com` should be placed before a general Block policy for all file sharing applications. @@ -72,6 +89,8 @@ These applications do not use the operating system's trust store and therefore d To resolve this issue: +import { Tabs, TabItem, Render } from "~/components"; + @@ -109,6 +128,6 @@ You have configured Gateway to resolve internal hostnames, but users are unable | Common causes | Solution | | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Missing or incorrect resolver policy | Go to **Traffic policies** > **Resolver policies**. Create a policy that matches your internal domain suffix and forwards queries to your internal DNS servers' IP addresses. | +| Missing or incorrect resolver policy | Go to **Traffic policies** > **Resolver policies**. Create a policy that matches your internal domain suffix and forwards queries to your internal DNS servers' IP addresses. | | Split Tunnel excludes the private IP range | If your internal resources are in a private IP range (such as `10.0.0.0/8`), that range must be included in the tunnel. If it is in the Exclude list of your Split Tunnel configuration, the Cloudflare One Client will not proxy the traffic. | | Local Domain Fallback misconfiguration | Use resolver policies for corporate DNS. Only use Local Domain Fallback for domains specific to a user's immediate physical network. | diff --git a/src/content/partials/cloudflare-one/troubleshooting/warp-client.mdx b/src/content/partials/cloudflare-one/troubleshooting/warp-client.mdx new file mode 100644 index 000000000000000..f093bb762b181c4 --- /dev/null +++ b/src/content/partials/cloudflare-one/troubleshooting/warp-client.mdx @@ -0,0 +1,510 @@ +import { + MetaInfo, + Render, + Steps, + Stream, + Tabs, + TabItem, + Type, +} from "~/components"; + +This guide helps you diagnose and resolve common issues with the Cloudflare One Client (formerly WARP). It covers how to troubleshoot the Cloudflare One Client on desktop operating systems, including Windows, macOS, and Linux. + +1. **Before you start**: [Prerequisites](#prerequisites), permissions, [version control](#check-your-client-version), and client basics. +2. **Collect logs**: Through [Cloudflare One](#option-a-collect-logs-via-the-cloudflare-dashboard) (with DEX remote capture) or the [command-line interface](#option-b-collect-logs-via-the-cli) (CLI) (`warp-diag`). +3. **Review logs**: [Status](#check-client-status), [settings](#check-client-settings), [profile ID](#profile-id), [split tunnel](#exclude-mode-with-hostsips) configuration, and other settings. +4. **Fix common misconfigurations**: [Profile mismatch](#wrong-profile-id), [split tunnel issues](#wrong-split-tunnel-configuration), [managed network issues](#review-your-managed-network-settings), [user group mismatch](#check-a-users-group-membership). +5. **File a support ticket**: [How to file a ticket](#5-file-a-support-ticket) after you have exhausted your troubleshooting options. + +:::note[AI-assisted troubleshooting] + +Cloudflare One includes two free AI helpers to speed up Cloudflare One Client investigations: + +[**WARP Diagnostics Analyzer**](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diagnostics-analyzer-beta) - Uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. This analyzer is available for logs collected via the dashboard. + +[**DEX MCP server**](/cloudflare-one/insights/dex/dex-mcp-server/) — An AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by carly@acme.com", and receive an answer that contains data from the DEX API. + +::: + +## 1. Before you start + +### Prerequisites + +- You must have completed the [Zero Trust onboarding flow](/cloudflare-one/setup/) with a Zero Trust organization created. +- You must have the Cloudflare One Client installed on an end user device. +- You must have a [role](/cloudflare-one/roles-permissions/) that gives admin permission to access logs on the Cloudflare dashboard. + +### Check your client version + +Many troubleshooting issues are caused by outdated client versions. For the best performance and compatibility, administrators should check for new releases and [update the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) before attempting to troubleshoot other issues. + +After updating the Cloudflare One Client, monitor the issue to see if it recurs. If the issue persists, continue with the troubleshooting guide. + +#### Via the device + + + + +1. Open the Cloudflare One Client on your desktop. +2. Select **About**. +3. Compare your device's version with the [latest version](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). + + + + + +4. Open the Cloudflare One Client on the desktop. +5. Select the gear icon. +6. Select **About WARP**. +7. Compare your device's version with the [latest version of the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). + + + + +#### Via the Cloudflare One dashboard + +1. Log into [Cloudflare One](https://one.dash.cloudflare.com/) > go to **Team & Resources** > **Devices** > **Your devices**. +2. Select the device you want to investigate. +3. Find the device's client version under **Client version** in the side menu. +4. Compare your device's version with the [latest version of the Cloudflare One Client](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/). + +### Client basics + +Understand the Cloudflare One Client's architecture, installation paths, and modes to help you diagnose issues with greater accuracy. + + + +#### Client architecture + + + +#### Client installation details + + + +#### Client modes + +The Cloudflare One Client operates in several modes, each with different traffic handling capabilities: + + + +## 2. Collect diagnostic logs + +You can collect diagnostic logs in two ways: the [Cloudflare dashboard](#option-a-collect-logs-via-the-cloudflare-dashboard) or the [`warp-diag`](#option-b-collect-logs-via-the-cli) command-line interface (CLI). + +### Option A: Collect logs via the Cloudflare dashboard + +Collect client diagnostic logs remotely from the Cloudflare One dashboard by using Digital Experience Monitoring's (DEX) remote captures. + +:::tip[Best practice] + +To troubleshoot effectively, Cloudflare recommends reproducing the issue and noting your timestamps immediately before collecting logs. Though recreating the issue may not be possible in all cases, reproducing the issue right before diagnostic log collection or during the window that a packet capture (PCAP) is running will help you troubleshoot with greater visibility. + +Refer to [diagnostic log retention window](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#log-retention-window) to learn more. +::: + +#### Start a remote capture + + + +#### Check remote capture status + + + +#### Download remote captures + + + +After you have your diagnostic files, go to [Review key files](#option-b-collect-logs-via-the-cli) to continue troubleshooting. + +:::tip[AI-assisted troubleshooting] + +The [WARP Diagnostics Analyzer](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diagnostics-analyzer-beta) uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. + +After you run a [DEX remote capture](#option-a-collect-logs-via-the-cloudflare-dashboard) for client diagnostics: + +1. Go to **Insights** > **Digital experience** and select the **Diagnotics** tab. +2. Find your capture in the list of captures. +3. Select the three-dot icon next to **Status** > select **View WARP Diag** to generate an AI summary. + +This analyzer is available for logs collected via the dashboard. + +::: + +### Option B: Collect logs via the CLI + +Collect client diagnostic logs on your desktop using the `warp-diag` CLI. + + + +:::tip[Best practice] + +To troubleshoot effectively, Cloudflare recommends that you recreate the steps that cause the issue before running `warp-diag` and keep timestamps of your steps for review within the logs. + +::: + +After you have your diagnostic files, go to [Review key files](#option-b-collect-logs-via-the-cli) to continue troubleshooting. + +## 3. Review key files + +Client diagnostic logs capture the final Cloudflare One Client configuration and status on a device after all MDM policies and other software settings have been applied. Reviewing these logs can help you identify misconfigurations or unexpected behavior. + + + +### Check client status + +Open the `warp-status.txt` file to review the status of the Cloudflare One Client connection when the `warp-diag` was collected. A connected Cloudflare One Client will appear as: + +``` +Ok(Connected) +``` + +If the Cloudflare One Client is experiencing issues, the error will display in the Cloudflare One Client GUI on the device. Use the [Client errors](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/client-errors/) documentation to identify your error, its cause, and the solution. + +### Check client settings + +After you have checked client status, review the Cloudflare One Client's settings on the device to check if the expected configuration has been applied. Open the `warp-settings.txt` file to review the Cloudflare One Client settings. You will check the device's applied device profile and split tunnel configuration. + +#### Example `warp-settings.txt` file + +Find the client diagnostic logs on your desktop, and open the `warp-settings.txt` file. Review the following example `warp-settings.txt` file and the descriptions of its content below. + +```txt +Merged configuration: +(derived) Always On: true +(network policy) Switch Locked: false # If false, does not allow the user to turn off the WARP toggle and disconnect the WARP client +(network policy) Mode: WarpWithDnsOverHttps # The device's WARP mode, this mode is WARP with Gateway mode +(network policy) WARP tunnel protocol: WireGuard +(default) Disabled for Wifi: false +(default) Disabled for Ethernet: false +(reg defaults) Resolve via: 1xx0x1011xx000000000f0x00000x11.cloudflare-gateway.com @ [1xx.1xx.1x.1, 1x01:1x00:1x00::1xx1] # The SNI Cloudflare will use and the IP address for DNS-over-HTTPS (DoH) requests +(user set) qlog logging: Enabled +(default) Onboarding: true # If true, the user sees an onboarding prompt when they first install the WARP client +(network policy) Exclude mode, with hosts/ips: # Split tunnel configuration + 1xx.1xx.1xx.1xx/25 (zoom) +... + cname.user.net + +(network policy) Fallback domains: # Local domain fallback configuration + intranet +... + test +(not set) Daemon Teams Auth: false +(network policy) Disable Auto Fallback: false +(network policy) Captive Portal: 180 +(network policy) Support URL: my-organizations-support-portal.com # Your organization's support portal or IT help desk +(user set) Organization: Organization-Name +(network policy) Allow Mode Switch: true # The user is allowed to switch between WARP modes +(network policy) Allow Updates: false # WARP client will not perform update checks +(network policy) Allowed to Leave Org: true +(api defaults) Known apple connectivity check IPs: xx.xxx.0.0/16; +(network policy) LAN Access Settings: Allowed until reconnect on a /24 subnet # The maximum size of network that will be allowed when Access Lan is clicked. +(network policy) Profile ID: 000000x1-00x1-1xx0-1xx1-11101x1axx11 +``` + +:::tip[Quick debugging] + +The command `warp-cli settings` in a terminal will generate the same information that is present in the `warp-settings.txt` file. + +::: + +#### Contents of `warp-settings.txt` file + +Review the meanings of the fields in `warp-settings.txt` that are relevant to troubleshooting. + +##### Always On + +Refers to the current state of the connection toggle in the GUI. In the example file, the toggle is switched on. + +```txt +Always On: true +``` + +##### Switch Locked + +Refers to the [Lock WARP Switch](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-warp-switch) which allows the user to use the client's connection toggle and disconnect the client. In the example file, the value is `false` meaning the user is able to connect or disconnect at their discretion. + +```txt +Switch Locked: false +``` + +When the Lock WARP Switch is enabled (`true`), users will need an [admin override code](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) to temporarily disconnect the Cloudflare One Client on their device. + +##### Mode + +Refers to the [client mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) the device is using. In the example file, the client mode is `WarpWithDnsOverHttps` which is Traffic and DNS mode. Refer to the [client modes comparison matrix](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) to match your `warp-settings.txt` file's value with the mode name. + +```txt +Mode: WarpWithDnsOverHttps +``` + +##### Exclude mode, with hosts/ips + +Refers to your [split tunnel](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) settings. In the example file, the Cloudflare One Client is running in Exclude mode, meaning all traffic except for the traffic destined for these hosts and IPs will be sent through the WARP tunnel. The host `cname.user.net` and the IP `1xx.1xx.1xx.1xx/25 ` are both excluded from the WARP tunnel. + +```txt +Exclude mode, with hosts/ips: + 1xx.1xx.1xx.1xx/25 (zoom) +... + cname.user.net +``` + +:::note[Exclude mode versus Include mode] +`Exclude mode` means all traffic will be sent through the WARP tunnel except for the IPs and domains you specify. + + `Include mode` means only traffic destined to the IPs or domains you specify will be sent through the WARP tunnel. + +::: + +##### Fallback domains + +Refers to your [Local Domain Fallback](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) settings. In the example file, the Cloudflare One Client lists `intranet` as a domain that will not be sent to Gateway for processing and will instead be sent directly to the configured fallback servers. + +```txt +(network policy) Fallback domains: + intranet +... +``` + +##### Allow Mode Switch + +Refers to the [Mode switch](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#mode-switch) setting. In the example file, the mode switch is enabled (`true`) which means the user has the option to switch between [Traffic and DNS mode](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) mode and [Gateway with DNS-over-HTTPS (DoH)](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) mode. + +```txt +Allow Mode Switch: true +``` + +##### Allow Updates + +Refers to the [Allow updates](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-updates) setting. In the example file, the allow updates setting is set to `false` meaning that the user will not receive update notifications when a new version of the Cloudflare One Client is available and cannot update the client without administrator approval. + +```txt +Allow Updates: false +``` + +##### Allowed to Leave Org + +Refers to the [Allow device to leave organization](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-device-to-leave-organization) setting. In the example file, the value is set to `true` meaning the user can log out from your Zero Trust organization. + +```txt +Allowed to Leave Org: true +``` + +##### LAN Access Settings + +Refers to the [Allow users to enable local network exclusion](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) setting. When enabled, it allows users to temporarily access local devices (like printers) by excluding the detected local subnet from the WARP tunnel. This example indicates access is allowed until the next client reconnection, and only for subnets up to `/24`. + +```txt +LAN Access Settings: Allowed until reconnect on a /24 subnet +``` + +##### Profile ID + +Refers to the [Device profile](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) a device is using. In this example, the ID is `000000x1-00x1-1xx0-1xx1-11101x1axx11`. + +```txt +Profile ID: 000000x1-00x1-1xx0-1xx1-11101x1axx11 +``` + +## 4. Fix common misconfigurations + +To verify that the Cloudflare One Client is configured and working properly, review the following: + +1. Is the [wrong profile ID](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#edit-your-device-profile-match-rules) applied to the device? +2. Is the [wrong split tunnel configuration](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#wrong-split-tunnel-configuration) active on the device? + +### Wrong profile ID + +A profile ID is a unique identifier assigned to each [device profile](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) in the Cloudflare One dashboard, used to determine which configuration settings apply to a device. + +#### Check the applied device profile + +To check that the applied device profile is the intended device profile: + +1. Go to [Cloudflare One](https://one.dash.cloudflare.com/) > **Team & Resources** > **Devices** > **Device profiles** > **General profiles**. +2. Find and select the device profile intended for the device. +3. Under **Profile details**, compare the displayed **Profile ID** with the `Profile ID` in the `warp-settings.txt` file. + +If your organization has multiple device profiles defined in the Cloudflare One dashboard, a device may be matched to an unexpected profile because: + +- How [profile precedence](#review-profile-precedence) is configured. +- [Managed network](#review-your-managed-network-settings) issues (if you are using a managed network.) +- User group [mismatch](#check-a-users-group-membership). +- Lack of [precise match rules](#edit-your-device-profile-match-rules). + +#### Review profile precedence + + + +:::caution +Avoid [reordering profiles](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/#order-of-precedence) unless you are confident it will not affect other users. +::: + +#### Review your managed network settings + +A [managed network](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) is a network location that you define with a TLS endpoint, like a physical office. The Cloudflare One Client checks for this TLS endpoint to determine its location and apply the corresponding device profile. + +If the managed network is misconfigured or the TLS endpoint is unreachable, the device may fall back to an unintended profile. + +When troubleshooting the Cloudflare One Client for managed network issues: + +1. Verify the endpoint is reachable. + + The Cloudflare One Client connects to the TLS endpoint to identify the network. If the endpoint is down or unreachable, the Cloudflare One Client will fail to detect the network and apply the wrong profile. + + + + If the endpoint is down, you will receive a `Could not find certificate from ` response. + + If you received a returned SHA-256 fingerprint: + 1. Log into [Cloudflare One](https://one.dash.cloudflare.com/), and go to **Team & Resources** > **Devices** > **Device profiles**. + 2. Go to **Managed networks** > **Edit**. + 3. Compare the TLS Cert SHA-256 in the dashboard with the returned fingerprint in your terminal to ensure they match. + +2. Use a single profile for a single location. + + To simplify management and prevent errors, avoid creating multiple managed network profiles for the same location. For example, if you have multiple TLS endpoints in one office, link them all to a single device profile. This reduces the risk of a device matching an unintended profile due to a configuration error. + +#### Check a user's group membership + +If a user is having issues with a device profile, it may be because they are not part of the correct user group. This can happen when an organization is not using SCIM for automatic identity provider (IdP) updates. + +To check that the user belongs to the intended group: + +1. Log into [Cloudflare One](https://one.dash.cloudflare.com/) > go to **Team & Resources** > **Devices** > **Your devices**. +2. Select the user. +3. Under **User Registry Identity**, select the user's name. +4. The **Get-identity endpoint** lists all the groups the user belongs to. + +If the user was recently added to a group, they will need to update their group membership with Cloudflare Zero Trust. This can be accomplished by logging into the reauthenticate endpoint. + + + +#### Edit your device profile match rules + +To modify the match rules of a device profile, you will need to edit the device profile. To edit the device profile: + + + +:::note + +Identity-based selectors are only available if the user [enrolled the device](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) by logging in to an identity provider (IdP). + +::: + +### Wrong split tunnel configuration + + + +A misconfigured [split tunnel](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) can cause connectivity issues. + +For example, if you set your mode to Exclude IPs and domains and accidentally exclude an IP address needed by an application, that application may not work correctly. Similarly, in Include IPs and domains mode, forgetting to include a necessary IP or domain will cause traffic to bypass the Cloudflare One Client, and you will lose access to your Zero Trust security features. + +#### 1. Check the applied split tunnel configuration + +After downloading the client diagnostic logs, review that your configuration is working as intended: + +1. Open the `warp-settings.txt` file and find `Exclude mode, with hosts/ips:` or `Include mode, with hosts/ips:`. + + :::note[Exclude mode versus Include mode] + `Exclude mode` means all traffic will be sent through the WARP tunnel except for the IPs and domains you specify. + + `Include mode` means only traffic destined to the IPs or domains you specify will be sent through the WARP tunnel. + ::: + +2. Log into [Cloudflare One](https://one.dash.cloudflare.com/), go to **Team & Resources** > **Devices** > **Device profiles** > **General profiles**. +3. Find and select the device profile intended for the device. +4. Select **Edit**. +5. Find **Split Tunnels** and note the mode you have selected > select **Manage**. +6. Cross-reference the IPs/hosts you have configured in the Cloudflare One dashboard with the IPs/hosts listed in `warp-settings.txt`. + +If your dashboard split tunnel configuration does not match your `warp-settings.txt` file configuration, you may need to force the Cloudflare One Client to [update its settings](#update-the-cloudflare-one-clients-settings). + +#### 2. Update the Cloudflare One Client's settings + +If the split tunnel configuration in `warp-settings.txt` does not match the dashboard, you can force the Cloudflare One Client to fetch the latest settings. + +This can be done by instructing the end user to [disconnect and reconnect the client](#option-a-disconnect-and-reconnect-the-client), or [reset their encryption keys](#option-b-reset-the-encryption-keys). + +Both methods update the client with the latest configuration. + +##### Option A: Disconnect and reconnect the client + + + + +1. On the end user device, open the Cloudflare One Client and select **Disconnect**. + +:::note[What if the end user cannot disconnect?] +If the end user does not see the [disconnect button](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-warp-switch), they will need to enter an [admin override code](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes). + +[Resetting the encryption keys](#option-b-reset-the-encryption-keys) may be a faster solution. +::: + +2. Select **Connect**. + + + + +1. On the end user device, open the Cloudflare One Client and disconnect. + +:::note[What if the end user cannot disconnect?] +If the end user's [connection toggle](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-warp-switch) is locked, they will need an [admin override code](/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) to be able to disconnect. + +[Resetting the encryption keys](#option-b-reset-the-encryption-keys) may be a faster solution. +::: + +2. Reconnect the Cloudflare One Client. + + + + +The client will fetch new settings when it reconnects. + +##### Option B: Reset the encryption keys + +To reset the encryption keys on an end user's desktop: + + + +## 5. Get help + +