Troubleshooting
I tried to register the WARP client with my Zero Trust domain but received the following error messages: Authentication Expired
and Registration error. Please try again later
.
When a user logs into an organization, WARP will open a web page so the user can sign in via Cloudflare Access. Access then generates a JSON Web Token (JWT) that is passed from the web page to the WARP client to authenticate the device. This JWT has a timestamp indicating the exact time it was created, as well as a timestamp indicating it will expire 50 seconds into the future.
This error message means that when the JWT is finally passed to the WARP client, it has already expired. One of two things can be happening:
-
(Most likely): Your computer system clock is not properly synced using Network Time Protocol (NTP). Visit https://time.is ↗ on the affected machine to validate your clock is properly synchronized within 20 seconds of the actual time.
-
You are waiting more than one minute to open Cloudflare WARP from the time Cloudflare Access prompts you. Open the WARP client as soon as you get the prompt.
If you believe a domain has been incorrectly blocked, you can use this form ↗ to get the URL reviewed.
Cloudflare Access requires that the credentials: same-origin parameter
be added to JavaScript when using the Fetch API (to include cookies). AJAX requests fail without this parameter present. For more information, refer to our documentation about CORS settings.
Advanced security features including HTTPS traffic inspection require users to install and trust the Cloudflare root certificate on their machine or device. If you are installing certificates manually on all of your devices, these steps will need to be performed on each new device that is to be subject to HTTP Filtering. To install the Cloudflare root certificate, follow this guide.
Gateway presents an HTTP Response Code: 526 error page in the following cases:
-
An untrusted certificate is presented from the origin to Gateway. Gateway will consider a certificate is untrusted if any of these conditions are true:
- The server certificate issuer is unknown or is not trusted by the service.
- The server certificate is revoked and fails a CRL check.
- There is at least one expired certificate in the certificate chain for the server certificate.
- The common name on the certificate does not match the URL you are trying to reach.
- The common name on the certificate contains invalid characters (such as underscores). Gateway uses BoringSSL ↗ to validate certificates. Chrome’s validation logic ↗ allows non-RFC 1305 compliant certificates, which is why the website may load when you turn off WARP.
-
The connection from Gateway to the origin is insecure. Gateway does not trust origins which:
- Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the SSL Server Test tool ↗ to check which ciphers are supported by the origin.
- Do not support FIPS-compliant ciphers (if you have enabled FIPS compliance mode). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin).
- Redirect all HTTPS requests to HTTP.
If none of the above scenarios apply, contact Cloudflare support with the following information:
- Operating System (Windows 10, macOS 10.x, iOS 14.x)
- Web browser (Chrome, Firefox, Safari, Edge)
- URL of the request
- Screenshot or copy/paste of the content from the error page
For more troubleshooting information, refer to Support.
You may not see analytics on the Overview page for the following reasons:
- You are not sending DNS queries to Gateway. Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your DNS location by going to Gateway > DNS locations and then expanding the location.
- You are using other DNS resolvers. If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Make sure to remove all other IP addresses from your DNS settings and only include Gateway’s DNS resolver IP addresses.
- The source IPv4 address for your DNS location is incorrect. If you are using IPv4, check the source IPv4 address that you entered for the DNS location matches with the network’s source IPv4 address.
- Analytics is not available yet. It takes some time to generate the analytics for Cloudflare Gateway. If you are not seeing anything even after 5 minutes, file a support ticket.
If you encounter this error, file feedback via the WARP client and we will investigate.
This can occur if your device is attempting to establish a connection to more than two remote browser instances. A browser isolation session is a connection from your local browser to a remote browser. Tabs and windows within the same browser share a single remote browser session. In practice, this generally means that you can open both Chrome and Firefox to use browser isolation concurrently, but attempting to open a third browser such as Opera will cause this alert to appear. To release a browser session, close all tabs/windows in your local browser. The remote browser session will be automatically terminated within 15 minutes.
I see SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify
when testing a SAML identity provider.
This error occurs when the identity provider has not included the signing public key in the SAML response. While not required by the SAML 2.0 specification, Cloudflare Access always checks that the public key provided matches the Signing certificate uploaded to Zero Trust. For the integration to work, you will need to configure your identity provider to add the public key.
I see Error 0: Bad Request. Please create a ca for application.
when attempting to connect to SSH with a short-lived certificate.
This error will appear if a certificate has not been generated for the Access application users are attempting to connect to. For more information on how to generate a certificate for the application on the Access Service Auth SSH page, refer to these instructions.
Mobile applications warn of an invalid certificate, even though I installed a Cloudflare certificate on my system.
These mobile applications may use certificate pinning Cloudflare Gateway dynamically generates a certificate for all encrypted connections in order to inspect the content of HTTP traffic. This certificate will not match the expected certificate by applications that use certificate pinning. To allow these applications to function normally, administrators can configure bypass rules to exempt traffic to hosts associated with the application from being intercepted and inspected.
If you see this warning, you may have to disable DNS over HTTPS setting in Firefox. If you need help doing that, see these instructions ↗.
Advanced security features including HTTPS traffic inspection require you to deploy a root certificate on the device. If Install CA to system certificate store is enabled, the WARP client will automatically install a new root certificate whenever you install or update WARP.
Certain web browsers (such as Chrome and Microsoft Edge) load and cache root certificates when they start. Therefore, if you install a root certificate while the browser is already running, the browser may not detect the new certificate. To resolve the error, restart the browser.
This error appears if you try to change your team domain while the Cloudflare dashboard SSO feature is enabled on your account. Cloudflare dashboard SSO does not currently support team domain changes. Contact your account team for more details.
This error means that the systemd-resolved
service on Linux is not allowing WARP to resolve DNS requests.
To solve the issue:
- Add the following line to
/etc/systemd/resolved.conf
:
-
Make sure that no other DNS servers are configured in
/etc/systemd/resolved.conf
. For example, if the file containsDNS=X.Y.Z.Q
, comment out the line. -
Restart the service:
NCSI ↗ is a Windows feature for determining network quality and connectivity. When WARP is enabled, NCSI checks can sometimes fail and cause a cosmetic UI error where the user believes they have no Internet even though the device still has full connectivity. Some apps (Outlook, JumpCloud) may refuse to connect because Windows is reporting there is no Internet connectivity.
To resolve the issue, you will need to edit two Windows registry keys:
-
Configure NCSI to detect WARP’s local DNS proxy.
-
Configure NCSI to use active probing mode, as WARP may be obscuring the number of hops expected by the passive probe ↗.
If you continue to have issues with Microsoft 365 applications, consider enabling Directly route Microsoft 365 traffic.
Cloudflare Browser Isolation leverages Network Vector Rendering (NVR) technology. This allows us to deliver a secure, performant remote computing experience without the bandwidth limitations of traditional solutions. While we expect most websites to work perfectly, some browser features and web technologies such as WebGL (Web Graphics Library) are unsupported.
WebGL is a JavaScript API for rendering high-performance interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins. Support for WebGL is present in all modern browsers. However, the user’s device must also have access to the underlying hardware ↗ that supports these features.
When running remote browser isolation in a virtualized environment, the user’s device may not have access to the required system resources. To resolve the error, you can configure your browser to render vector graphics entirely through software, without using the hardware acceleration provided by a GPU.
To enable software rasterization:
- Go to
chrome://flags/#override-software-rendering-list
. - Set Override software rendering list to Enabled.
- Select Relaunch to apply the change.
By default, the WARP client blocks outgoing SMTP traffic on port 25
to prevent users from abusing our service to send spam. Modern email service providers use port 587
or 465
to encrypt emails over a TLS/SSL connection. For more information, refer to What SMTP port should be used? ↗.
If you need to unblock port 25
, contact your account team.
This issue can occur when communicating with an origin that partially supports HTTP/2. In these scenarios, the connection from Gateway to the website starts using HTTP/2 but requests a downgrade to HTTP/1.1 for some requests. For example, servers such as Microsoft Internet Information Services (IIS) ↗ do not support authentication over HTTP/2. When errors occur, the website may send back a RST_STREAM
frame with the error code HTTP_1_1_REQUIRED
, which indicates that the browser should retry the request over HTTP/1.1. Gateway translates any received upstream RST_STREAM
frames to a pseudo socket close, so this appears as a 502 Bad Gateway
exception page. The browser will not indicate why it failed.
Gateway does not support this downgrade mechanism. When receiving the HTTP_1_1_REQUIRED
error code, Gateway will not reissue requests over HTTP/1.1. To make the connection from Gateway to the website successfully, you will need to disable HTTP/2 at the origin.