Common issues
This section covers the most common issues you might encounter as you deploy the Cloudflare One Client (formerly WARP) in your organization, or turn on new features that interact with the client.
If the Cloudflare One Client is stuck in the Disconnected state or frequently changes between Connected and Disconnected, this indicates that the client cannot establish a connection to Cloudflare's global network.
In your client diagnostic logs, daemon.log will typically show one or more of the following errors:
- Happy Eyeball checks failing:
All Happy Eyeballs checks failed. - Connectivity checks timing out for
connectivity.cloudflareclient.com.
Common causes:
- Firewall blocks: A local or network firewall is blocking the required IP addresses.
- VPN interference: A third-party VPN is fighting for control over the routing table or DNS. Refer to the VPN compatibility guide.
- ISP blocks: Your country or ISP may be explicitly blocking client traffic.
When registering the client, you may see Authentication Expired or Registration error. Please try again later.
Common causes:
- System clock out of sync: Your computer system clock must be properly synced via NTP. If your clock is off by more than 20 seconds, the authentication token (JWT) will be invalid.
- Prompt timeout: You must complete the registration in your browser and return to the client within one minute of the prompt.
This error often means that systemd-resolved is not allowing the client to resolve DNS requests. In daemon.log, you will see DNS connectivity check failed to resolve host="warp-svc.".
Solution:
- Add
ResolveUnicastSingleLabel=yesto/etc/systemd/resolved.conf. - Ensure no other DNS servers are explicitly configured in that file.
- Restart the service:
sudo systemctl restart systemd-resolved.service.
The client cannot parse resolv.conf files containing invalid characters like !@#$%^&*()<>? in search directives. Remove these characters to restore service.
Advanced security features require the Cloudflare root certificate to be trusted on the device.
- Chrome/Edge: These browsers cache certificates. If you installed the certificate while the browser was running, you must restart the browser.
- Root certificate expiry: The default Cloudflare root certificate expired on February 2, 2025. If you are seeing errors, generate and activate a new certificate in the dashboard.
Starting with version 2024.12.554.0, the client can automatically install new certificates as soon as they are Available in the dashboard. For older versions, certificates had to be marked In-Use first. Ensure Install CA to system certificate store is enabled in your Device settings.
This is often a cosmetic error with Windows Network Connectivity Status Indicator (NCSI). Apps like Outlook or JumpCloud may refuse to connect because of this status.
Solution:
Configure NCSI to detect the client's local DNS proxy and use active probing by setting these registry keys to 1:
HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicator\UseGlobalDNSHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActiveProbing
This usually indicates a missing dependency, such as .NET Framework 4.7.2 or later. Legacy systems (like Windows 10 Enterprise 1607) may require a manual update of the .NET Framework Runtime ↗.
If WSL2 loses connectivity, check your split tunnel configuration. The IP range used by WSL to communicate with the host may be accidentally included in the tunnel. Exclude the WSL network range to restore connectivity.
By default, the client blocks outgoing traffic on port 25 to prevent spam. Use port 587 or 465 for encrypted email, or contact your account team to request an unblock.
Admin override codes are time-sensitive and adhere to fixed-hour blocks. A code generated at 9:30 AM with a 1-hour timeout will expire at 10:00 AM because its validity is counted within the 9:00 AM-10:00 AM window.
- Diagnostic logs - Learn how to collect logs for support.
- Known limitations - Review unsupported features and environments.
- Troubleshooting Cloudflare One - View troubleshooting guides for other products.