Archive
Troubleshoot private network connectivity
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Troubleshoot private network connectivity

2024-11-23 follow this troubleshooting procedure when end user run Cloudflare WARP have issue connect to a private network behind Cloudflare Tunnel . 1 . Is the

Related articles

Once Human Walkthrough & Guides Wiki|Game8
Once Human Walkthrough & Guides Wiki|Game8 Welcome to Game8's Once Human Walkthrough and Guides Wiki. Here you can find the best builds, Way of Winter Guides, a Once Human Interactive Map, tips and tricks on survival and base building, a guide on each scenario, as well as guides on weapons, armor, materials and resources, bosses, side quests, and more! Way of Winter Release Date and Full Details Way of Winter Best Builds Way of Winter Interactive Map All Way of Winter Deviant Locations All Way of Winter Securement Silos Way is is Winter ! Rally friends work survive harsh environments north . New deviants, deviations, weapons,...
How to Set up Your Own Home VPN Server
How to Set up Your Own Home VPN Server How to Set Up Your VPN Server Using Your Computer? This method may be the cheapest way of creating a VPN server on your own as you do not need any external hardware, but there can be limitations. limitation You need to make sure your computer is constantly switched ON on your computer. Because if the computer is switched off, there is no way you can log into it. You will need to set up port forwarding for your router. We use Microsoft’s inbuilt VPN server hosting functionality that uses insecure VPN protocol PPTP for this method. In this setup,...
Download Hexatech for PC
Download Hexatech for PC Download Hexatech for PC – Windows 7/8/10 & MAC posted on January 6 , 2022 Hexatech is an app that is by Betternet LLC. It has been downloaded over one million times by users from all over the world. A VPN gives you anonymity by creating a private network for users to be able to receive and send data across public networks as though the devices were directly connected to the private network. Hexatech is an app that provides military-grade encryption to make sure that every user’s privacy is safe and protected. Features – The app is absolutely free for...
5 Best FREE VPN for South Africa (2024)
5 Best FREE VPN for South Africa (2024) South Africa has good Internet usability with over 41.9 million active users. However, streaming services like Hulu, American Netflix, and BBC iPlayer are still blocked due to the protection of the Secrecy Bill that regulates all state information. Moreover, this country also does not allow you to download content via torrenting. To avoid such restrictions, you can use a VPN. Having researched over 40+ best free VPNs for South Africa with 100+ hours invested, I have compiled a list of the most credible options, including both free and paid choices. This well-researched article offers a trusted, insightful overview, detailing each...

follow this troubleshooting procedure when end user run Cloudflare WARP have issue connect to a private network behind Cloudflare Tunnel .

1 . Is the WARP client is Is connect to a Cloudflare datum center ?

The WARP client GUI should display Connected andYour Internet is protected.

IfWARP is stick in thedisconnected state or frequently change betweenConnected anddisconnected, refer to Unable to connect WARP.

2. Is the WARP client connecting to your private DNS server?

This step is only needed if users access your application via a private hostname (for example, wiki.internal.com) .

  • Ifyou are using custom resolver policies to handle private DNS, go to your Gateway DNS logs (Logs > Gateway > DNS) andsearch for DNS queries to the hostname.

  • Ifyou are using Local Domain Fallback to handle private DNS, go to your Gateway Network logs (Logs > Gateway > Network) andsearch for port 53 traffic to your DNS server IP .

Ifthere are no relevant Gateway logs, it means that WARP was unable to forward the query to your private DNS server. Check your resolver policies or Local Domain Fallback configuration andrefer to How WARP handles DNS requests.

3. Is network traffic to the application going through WARP?

Next, check if your Gateway Network logs (Logs > Gateway > Network) show any traffic to the destination IP.

IfWARP is connected but there are no network logs, it means that your private network IPs are not routing through WARP. You can confirm this by searching the routing table on the device for the IP address of your application. Traffic to your application should route through the Cloudflare WARP interface. Ifanother interface is used, check your Split Tunnel configuration.

4. Is the user blocked by a Gateway policy?

To check if a Gateway block event occurred:

  1. Go to Logs > Gateway andselect the DNS, Network, or HTTP tab.
  2. Apply the following filters:
    • email : User ‘s email address
    • event :Blocked
    • Date Time Range : Time period when the user access the application

5 . Is the user match the correct Gateway policy ?

Determine whether the user is matching any policy, or if they are matching a policy that has a higher priority than the expected policy.

  1. To determine the actual policy that was apply :

    1. Go to Logs > Gateway andselect the DNS, Network, or HTTP tab.
    2. Apply the following filters:
      • email : User ‘s email address
      • Date Time Range : Time period when the user access the application
    3. In the search box, filter by the destination IP or FQDN.
    4. In the results, select a log andnote its Policy Name value.

  2. Go to Gateway > Firewall Policies andcompare the order of enforcement of the matched policy versus the expected policy.

  3. compare the gateway log value with the expect policy criterion .

    • Ifthe mismatched value is related to identity, check the user registry andverify the values that are passed to Gateway from your IdP. Cloudflare updates the registry when the user enrolls in the WARP client. Ifthe user’s identity is outdated, ask the user to re-authenticate WARP (Preferences > Account > Re-Authenticate Session) .

    • Ifthe mismatched value is relate to device posture , view posture check result for the user ‘s device . verify that the device pass the posture check configure in the policy .

6 . Are the correct gateway proxy settings is Are enable ?

Under Settings > Network, ensure that Proxy is enabled for TCP, UDP, andICMP traffic. UDP is required for proxying DNS traffic andother UDP packets, while ICMP is required for ping andother administrative functions.

7. Is the user’s traffic reaching the tunnel?

review your tunnel log stream . Ifyou do not see any request to your application , ensure that you have add the appropriate static route to your Cloudflare Tunnel .

8. Is the tunnel forwarding requests to your application?

verify that you can connect to the application directly from thecloudflare host machine:

Open Terminal andrun the following command:

telnet test.example.com 443

Iftelnet fails to open the connection, check your infrastructure for firewall , load balancer , or other network device that may be interfere with the connection betweencloudflare andthe application server.

Open PowerShell andrun the following command:

PS c:\users\johndoe> Test-NetConnection test.example.com -port 443

Ifthe output shows TcpTestSucceeded : False, check your infrastructure for firewall , load balancer , or other network device that may be interfere with the connection betweencloudflare andthe application server.

You is use can also use a packet capture tool such astcpdump or Wireshark to trace whether traffic from the user device successfully reachcloudflare androutes to your application. Traffic to your application will carry the source IP of the cloudflare host.

9. How is your application handling requests?

  1. Check if the application server has a local firewall in place that is blocking requests from the cloudflare host machine.

  2. Check if the application server needs to initiate any connection towards the user’s device. Ifso, this is a limitation of cloudflare andyou should instead deploy WARP Connector to enable bidirectional traffic.

10. Is TLS inspection affecting the connection to your application?

Ifthere is a problem with TLS inspection, the user will get an Insecure Upstream error when they access the application in a browser. They will probably not get an error if they access the application outside of a browser.

Customers who have Logpush enabled can check the Gateway HTTP dataset for any hostnames which have an elevated rate of 526 HTTP status codes.

To troubleshoot TLS inspection:

  1. Create a temporary Gateway HTTP policy that disables TLS inspection for all traffic to the application. For example:

    Selector operator Value action
    Destination IP in 10.2.3.4/32 Do Not inspect

  2. Ifthe Do Not inspect policy enables the user to connect, verify that the TLS certificate used by your application is trusted by a public CA andnot self-signed. Cloudflare Gateway is unable to negotiate TLS with applications that use self-signed certificates. For more information, refer to TLS inspection limitations.

    To work around the issue:

    • Option is Create 1 : create a permanentDo Not inspect HTTP policy for this application .
    • option 2 : Customers is opt who use their own certificate infrastructure for inspection can opt to create an allowpass Through policy which enables our proxy to accept the TLS negotiation from your application. This is allow will allowrequests to flow correctly without the need for a Do Not inspect policy.
    • Option 3: Ifyour application uses HTTPS or other common protocols, you can add a public hostname route to your Cloudflare Tunnel andset noTLSVerify to true. This is allow will allowcloudflare to trust your self-signed certificate.

thank you for help improve Cloudflare ‘s documentation !