---
title: Cloudflare One Client troubleshooting guide
description: Reference information for Cloudflare One Client troubleshooting guide in Zero Trust.
image: https://developers.cloudflare.com/zt-preview.png
---

[Skip to content](#%5Ftop) 

### Tags

[ Debugging ](https://developers.cloudflare.com/search/?tags=Debugging) 

Was this helpful?

YesNo

[ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) 

Copy page

# Cloudflare One Client troubleshooting guide

This guide helps you diagnose and resolve common issues with the Cloudflare One Client (formerly WARP). It covers how to troubleshoot the Cloudflare One Client on desktop operating systems, including Windows, macOS, and Linux.

1. **Before you start**: [Prerequisites](#prerequisites), permissions, [version control](#check-your-client-version), and client basics.
2. **Collect logs**: Through [Cloudflare One](#option-a-collect-logs-via-the-cloudflare-dashboard) (with DEX remote capture) or the [command-line interface](#option-b-collect-logs-via-the-cli) (CLI) (`warp-diag`).
3. **Review logs**: [Status](#check-client-status), [settings](#check-client-settings), [profile ID](#profile-id), [split tunnel](#exclude-mode-with-hostsips) configuration, and other settings.
4. **Fix common misconfigurations**: [Profile mismatch](#wrong-profile-id), [split tunnel issues](#wrong-split-tunnel-configuration), [managed network issues](#review-your-managed-network-settings), [user group mismatch](#check-a-users-group-membership).
5. **File a support ticket**: [How to file a ticket](#5-file-a-support-ticket) after you have exhausted your troubleshooting options.

AI-assisted troubleshooting

Cloudflare One includes two free AI helpers to speed up Cloudflare One Client investigations:

[**Diagnostics Analyzer**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#diagnostics-analyzer-beta) \- Uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary. This analyzer is available for logs collected via the dashboard.

[**DEX MCP server**](https://developers.cloudflare.com/cloudflare-one/insights/dex/dex-mcp-server/) — An AI tool that allows customers to ask a question like, "Show me the connectivity and performance metrics for the device used by [carly@acme.com](mailto:carly@acme.com)", and receive an answer that contains data from the DEX API.

## 1\. Before you start

### Prerequisites

* You must have completed the [Zero Trust onboarding flow](https://developers.cloudflare.com/cloudflare-one/setup/) with a Zero Trust organization created.
* You must have the Cloudflare One Client installed on an end user device.
* You must have a [role](https://developers.cloudflare.com/cloudflare-one/roles-permissions/) that gives admin permission to access logs on the Cloudflare dashboard.

### Check your client version

Many troubleshooting issues are caused by outdated client versions. For the best performance and compatibility, administrators should check for new releases and [update the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) before attempting to troubleshoot other issues.

After updating the Cloudflare One Client, monitor the issue to see if it recurs. If the issue persists, continue with the troubleshooting guide.

#### Via the device

* [ Version 2026.2+ ](#tab-panel-5926)
* [ Version 2026.1 and earlier ](#tab-panel-5927)

1. Open the Cloudflare One Client on your desktop.
2. Select **About**.
3. Compare your device's version with the [latest version](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).

1. Open the Cloudflare One Client on the desktop.
2. Select the gear icon.
3. Select **About WARP**.
4. Compare your device's version with the [latest version of the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).

#### Via the Cloudflare One dashboard

1. Log into [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> go to **Team & Resources** \> **Devices** \> **Your devices**.
2. Select the device you want to investigate.
3. Find the device's client version under **Client version** in the side menu.
4. Compare your device's version with the [latest version of the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).

### Client basics

Understand the Cloudflare One Client's architecture, installation paths, and modes to help you diagnose issues with greater accuracy.

Chapters

* ![Introduction and WARP GUI Basics](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=0s)  
 **Introduction and WARP GUI Basics** 0s
* ![Consumer vs. Corporate WARP](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=57s)  
 **Consumer vs. Corporate WARP** 57s
* ![Device Profiles Explained](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=95s)  
 **Device Profiles Explained** 1m35s
* ![WARP Operating Modes](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=132s)  
 **WARP Operating Modes** 2m12s
* ![Split Tunneling](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=224s)  
 **Split Tunneling** 3m44s
* ![Conclusion](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/31178cc41d0ec56d42ef892160589635/thumbnails/thumbnail.jpg?fit=crop&time=296s)  
 **Conclusion** 4m56s

#### Client architecture

The Cloudflare One Client consists of:

* **Graphical User Interface (GUI)**: Control panel that allows end users to view the client's [status](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/connectivity-status/) and perform actions such as turning the Cloudflare One Client on or off.
* **WARP daemon (or service)**: Core background component responsible for establishing secure tunnels (using WireGuard or MASQUE) and handling all client functionality on your device.

Refer to [client architecture](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/) for more information on how the Cloudflare One Client interacts with a device's operating system to route traffic.

#### Client installation details

The GUI and daemon (or service) have different names and are stored in the following locations:

Windows 

| Windows              |                                                                                                               |
| -------------------- | ------------------------------------------------------------------------------------------------------------- |
| **Service / Daemon** | C:\\Program Files\\Cloudflare\\Cloudflare WARP\\warp-svc.exe                                                  |
| **GUI application**  | C:\\Program Files\\Cloudflare\\Cloudflare WARP\\Cloudflare WARP.exe                                           |
| **Logs Location**    | DaemonC:\\ProgramData\\Cloudflare\\GUI LogsC:\\Users\\<USER>.WARP\\AppData\\Localor%LOCALAPPDATA%\\Cloudflare |

macOS 

| macOS                |                                                                                   |
| -------------------- | --------------------------------------------------------------------------------- |
| **Service / Daemon** | /Applications/Cloudflare WARP.app/Contents/Resources/CloudflareWARP               |
| **GUI application**  | /Applications/Cloudflare WARP.app/Contents/MacOS/Cloudflare WARP                  |
| **Logs Location**    | Daemon/Library/Application Support/Cloudflare/GUI Logs\~/Library/Logs/Cloudflare/ |

Linux 

| Linux                |                                                   |
| -------------------- | ------------------------------------------------- |
| **Service / Daemon** | /bin/warp-svc                                     |
| **GUI application**  | /bin/warp-taskbar                                 |
| **Logs Location**    | /var/log/cloudflare-warp//var/lib/cloudflare-warp |

Along with the Cloudflare One Client GUI and daemon, `warp-cli` and `warp-diag` are also [installed](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/) on the machine and added to the system path for use from any terminal session.

[warp-diag](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/) is a command-line diagnostics tool that collects logs, configuration details, and connectivity data from the Cloudflare One Client to help troubleshoot issues.

`warp-cli` is the command-line interface (CLI) for managing and configuring the Cloudflare One Client, allowing users to connect, disconnect, and adjust settings programmatically.

#### Client modes

The Cloudflare One Client operates in several modes, each with different traffic handling capabilities:

Each client mode offers a different set of Zero Trust features.

| Client mode                                                                                                                                                                           | DNS Filtering | Network Filtering | HTTP Filtering | Service mode (displayed in warp-cli settings) |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------- | -------------- | --------------------------------------------- |
| [**Traffic and DNS mode (default)**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) | ✅             | ✅                 | ✅              | WarpWithDnsOverHttps                          |
| [**DNS only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode)                                 | ✅             | ❌                 | ❌              | DnsOverHttps                                  |
| [**Traffic only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-only-mode)                         | ❌             | ✅                 | ✅              | TunnelOnly                                    |
| [**Local proxy mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode)                           | ❌             | ❌                 | ✅              | WarpProxy                                     |
| [**Posture only mode**](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#posture-only-mode)                         | ❌             | ❌                 | ❌              | PostureOnly                                   |

## 2\. Collect diagnostic logs

You can collect diagnostic logs in two ways: the [Cloudflare dashboard](#option-a-collect-logs-via-the-cloudflare-dashboard) or the [warp-diag](#option-b-collect-logs-via-the-cli) command-line interface (CLI).

### Option A: Collect logs via the Cloudflare dashboard

Collect client diagnostic logs remotely from the Cloudflare One dashboard by using Digital Experience Monitoring's (DEX) remote captures.

Best practice

To troubleshoot effectively, Cloudflare recommends reproducing the issue and noting your timestamps immediately before collecting logs. Though recreating the issue may not be possible in all cases, reproducing the issue right before diagnostic log collection or during the window that a packet capture (PCAP) is running will help you troubleshoot with greater visibility.

Refer to [diagnostic log retention window](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#log-retention-window) to learn more.

#### Start a remote capture

Devices must be actively connected to the Internet for remote captures to run.

To capture data from a remote device:

1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**.
2. Select up to 10 devices that you want to run a capture on. Devices must be [registered](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/) in your Zero Trust organization.
3. Configure the types of captures to run.  
   * **Packet captures (PCAP)**: Performs packet captures for traffic outside of the WARP tunnel (default network interface) and traffic inside of the WARP tunnel ([virtual interface](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/client-architecture/#ip-traffic)).  
   * **Device diagnostic logs**: Generates a [Cloudflare One Client diagnostic log](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#warp-diag-logs) of the past 96 hours. To include a routing test for all IPs and domains in your [Split Tunnel configuration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/), select **Test all routes**.  
   Note  
   **Test all routes** will extend the time for diagnostics to run and may temporarily impact device performance during the test.  
   You must select Device Diagnostic Logs. You can also choose to run a PCAP and reproduce the issue in the window the PCAP is running to gain further network insight. The scope of this troubleshooting covers only client diagnostic logs. If not choosing PCAPs, reproduce the issue right before running diagnostics.
4. Select **Run diagnostics**.

DEX will now send capture requests to the configured devices. If the Cloudflare One Client is disconnected, the capture will time out after 10 minutes.

#### Check remote capture status

To view a list of captures, go to **DEX** \> **Remote captures**. The **Status** column displays one of the following options:

* **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#download-remote-captures) to determine which PCAPs succeeded or failed.
* **Running**: The capture is in progress on the device.
* **Pending Upload**: The capture is complete but not yet ready for download.
* **Failed**: The capture has either timed out or encountered an error. To retry the capture, check the Cloudflare One Client version and [connectivity status](https://developers.cloudflare.com/cloudflare-one/insights/dex/monitoring/#fleet-status), then start a [new capture](https://developers.cloudflare.com/cloudflare-one/insights/dex/remote-captures/#start-a-remote-capture).

#### Download remote captures

1. In [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **DEX** \> **Remote captures**.
2. Find a successful capture.
3. Select the three-dot menu and select **Download**.

This will download a ZIP file to your local machine called `<capture-id>.zip`. DEX will store capture data according to our [log retention policy](https://developers.cloudflare.com/cloudflare-one/insights/logs/#log-retention).

After you have your diagnostic files, go to [Review key files](#option-b-collect-logs-via-the-cli) to continue troubleshooting.

AI-assisted troubleshooting

The [diagnostics analyzer](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/diagnostic-logs/#diagnostics-analyzer-beta) uses AI to parse a device's client diagnostic log and summarizes key events, likely causes, and recommended next steps in a concise summary.

After you run a [DEX remote capture](#option-a-collect-logs-via-the-cloudflare-dashboard) for client diagnostics:

1. Go to **Insights** \> **Digital experience** and select the **Diagnostics** tab.
2. Find your capture in the list of captures.
3. Select the three-dot icon next to **Status** \> select **View Device Diag** to generate an AI summary.

This analyzer is available for logs collected via the dashboard.

### Option B: Collect logs via the CLI

Collect client diagnostic logs on your desktop using the `warp-diag` CLI.

To view client logs on desktop devices:

* [ macOS ](#tab-panel-5930)
* [ Windows ](#tab-panel-5931)
* [ Linux ](#tab-panel-5932)

1. Open a Terminal window.
2. Run the `warp-diag` tool:  
Terminal window  
```  
warp-diag  
```

This will place a `warp-debugging-info-<date>-<time>.zip` on your desktop.

1. Open a Command Prompt or PowerShell window.
2. Run the `warp-diag` tool:  
Terminal window  
```  
C:\Users\JohnDoe>warp-diag  
```

This will place a `warp-debugging-info-<date>-<time>.zip` on your desktop.

1. Open a Terminal window.
2. Run the `warp-diag` tool:  
Terminal window  
```  
warp-diag  
```

This will place a `warp-debugging-info-<date>-<time>.zip` in the same folder you ran the command from.

Best practice

To troubleshoot effectively, Cloudflare recommends that you recreate the steps that cause the issue before running `warp-diag` and keep timestamps of your steps for review within the logs.

After you have your diagnostic files, go to [Review key files](#option-b-collect-logs-via-the-cli) to continue troubleshooting.

## 3\. Review key files

Client diagnostic logs capture the final Cloudflare One Client configuration and status on a device after all MDM policies and other software settings have been applied. Reviewing these logs can help you identify misconfigurations or unexpected behavior.

Chapters

* ![Introduction](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/c29964ab3dcf7c3432ebb2b4e93c3aca/thumbnails/thumbnail.jpg?fit=crop&time=0s)  
 **Introduction** 0s
* ![What are warp-diag files?](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/c29964ab3dcf7c3432ebb2b4e93c3aca/thumbnails/thumbnail.jpg?fit=crop&time=44s)  
 **What are warp-diag files?** 44s
* ![How to download and navigate warp-diag files](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/c29964ab3dcf7c3432ebb2b4e93c3aca/thumbnails/thumbnail.jpg?fit=crop&time=76s)  
 **How to download and navigate warp-diag files** 1m16s
* ![warp-status.txt](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/c29964ab3dcf7c3432ebb2b4e93c3aca/thumbnails/thumbnail.jpg?fit=crop&time=126s)  
 **warp-status.txt** 2m06s
* ![warp-settings.txt](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/c29964ab3dcf7c3432ebb2b4e93c3aca/thumbnails/thumbnail.jpg?fit=crop&time=149s)  
 **warp-settings.txt** 2m29s
* ![daemon.log](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/c29964ab3dcf7c3432ebb2b4e93c3aca/thumbnails/thumbnail.jpg?fit=crop&time=217s)  
 **daemon.log** 3m37s
* ![Addition tips](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/c29964ab3dcf7c3432ebb2b4e93c3aca/thumbnails/thumbnail.jpg?fit=crop&time=487s)  
 **Addition tips** 8m07s
* ![Conclusion](https://customer-1mwganm1ma0xgnmj.cloudflarestream.com/c29964ab3dcf7c3432ebb2b4e93c3aca/thumbnails/thumbnail.jpg?fit=crop&time=523s)  
 **Conclusion** 8m43s

### Check client status

Open the `warp-status.txt` file to review the status of the Cloudflare One Client connection when the `warp-diag` was collected. A connected Cloudflare One Client will appear as:

```

Ok(Connected)


```

If the Cloudflare One Client is experiencing issues, the error will display in the Cloudflare One Client GUI on the device. Use the [Client errors](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/client-errors/) documentation to identify your error, its cause, and the solution.

### Check client settings

After you have checked client status, review the Cloudflare One Client's settings on the device to check if the expected configuration has been applied. Open the `warp-settings.txt` file to review the Cloudflare One Client settings. You will check the device's applied device profile and split tunnel configuration.

#### Example `warp-settings.txt` file

Find the client diagnostic logs on your desktop, and open the `warp-settings.txt` file. Review the following example `warp-settings.txt` file and the descriptions of its content below.

```

Merged configuration:

(derived)   Always On: true

(network policy)    Switch Locked: false # If false, does not allow the user to turn off the WARP toggle and disconnect the WARP client

(network policy)    Mode: WarpWithDnsOverHttps # The device's WARP mode, this mode is WARP with Gateway mode

(network policy)    WARP tunnel protocol: WireGuard

(default)   Disabled for Wifi: false

(default)   Disabled for Ethernet: false

(reg defaults)  Resolve via: 1xx0x1011xx000000000f0x00000x11.cloudflare-gateway.com @ [1xx.1xx.1x.1, 1x01:1x00:1x00::1xx1] # The SNI Cloudflare will use and the IP address for DNS-over-HTTPS (DoH) requests

(user set)  qlog logging: Enabled

(default)   Onboarding: true # If true, the user sees an onboarding prompt when they first install the WARP client

(network policy)    Exclude mode, with hosts/ips: # Split tunnel configuration

  1xx.1xx.1xx.1xx/25 (zoom)

...

  cname.user.net


(network policy)    Fallback domains: # Local domain fallback configuration

  intranet

...

  test

(not set)   Daemon Teams Auth: false

(network policy)    Disable Auto Fallback: false

(network policy)    Captive Portal: 180

(network policy)    Support URL: my-organizations-support-portal.com # Your organization's support portal or IT help desk

(user set)  Organization: Organization-Name

(network policy)    Allow Mode Switch: true  # The user is allowed to switch between WARP modes

(network policy)    Allow Updates: false # WARP client will not perform update checks

(network policy)    Allowed to Leave Org: true

(api defaults)  Known apple connectivity check IPs: xx.xxx.0.0/16;

(network policy)    LAN Access Settings: Allowed until reconnect on a /24 subnet # The maximum size of network that will be allowed when Access Lan is clicked.

(network policy)    Profile ID: 000000x1-00x1-1xx0-1xx1-11101x1axx11


```

Explain Code

Quick debugging

The command `warp-cli settings` in a terminal will generate the same information that is present in the `warp-settings.txt` file.

#### Contents of `warp-settings.txt` file

Review the meanings of the fields in `warp-settings.txt` that are relevant to troubleshooting.

##### Always On

Refers to the current state of the connection toggle in the GUI. In the example file, the toggle is switched on.

```

Always On: true


```

##### Switch Locked

Refers to the [Lock device client switch](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-device-client-switch) which allows the user to use the client's connection toggle and disconnect the client. In the example file, the value is `false` meaning the user is able to connect or disconnect at their discretion.

```

Switch Locked: false


```

When **Lock device client switch** is enabled (`true`), users will need an [admin override code](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) to temporarily disconnect the Cloudflare One Client on their device.

##### Mode

Refers to the [client mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) the device is using. In the example file, the client mode is `WarpWithDnsOverHttps` which is Traffic and DNS mode. Refer to the [client modes comparison matrix](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/) to match your `warp-settings.txt` file's value with the mode name.

```

Mode: WarpWithDnsOverHttps


```

##### Exclude mode, with hosts/ips

Refers to your [split tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) settings. In the example file, the Cloudflare One Client is running in Exclude mode, meaning all traffic except for the traffic destined for these hosts and IPs will be sent through the WARP tunnel. The host `cname.user.net` and the IP `1xx.1xx.1xx.1xx/25 ` are both excluded from the WARP tunnel.

```

Exclude mode, with hosts/ips:

  1xx.1xx.1xx.1xx/25 (zoom)

...

  cname.user.net


```

Exclude mode versus Include mode

`Exclude mode` means all traffic will be sent through the WARP tunnel except for the IPs and domains you specify.

`Include mode` means only traffic destined to the IPs or domains you specify will be sent through the WARP tunnel.

##### Fallback domains

Refers to your [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) settings. In the example file, the Cloudflare One Client lists `intranet` as a domain that will not be sent to Gateway for processing and will instead be sent directly to the configured fallback servers.

```

(network policy)    Fallback domains:

  intranet

...


```

##### Allow Mode Switch

Refers to the [Mode switch](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#mode-switch) setting. In the example file, the mode switch is enabled (`true`) which means the user has the option to switch between [Traffic and DNS mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#traffic-and-dns-mode-default) mode and [Gateway with DNS-over-HTTPS (DoH)](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#dns-only-mode) mode.

```

Allow Mode Switch: true


```

##### Allow Updates

Refers to the [Allow updates](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-updates) setting. In the example file, the allow updates setting is set to `false` meaning that the user will not receive update notifications when a new version of the Cloudflare One Client is available and cannot update the client without administrator approval.

```

Allow Updates: false


```

**Allowed to Leave Org**

Refers to the [Allow device to leave organization](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-device-to-leave-organization) setting. In the example file, the value is set to `true` meaning the user can log out from your Zero Trust organization.

```

Allowed to Leave Org: true


```

**LAN Access Settings**

Refers to the [Allow users to enable local network exclusion](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-users-to-enable-local-network-exclusion) setting. When enabled, it allows users to temporarily access local devices (like printers) by excluding the detected local subnet from the WARP tunnel. This example indicates access is allowed until the next client reconnection, and only for subnets up to `/24`.

```

LAN Access Settings: Allowed until reconnect on a /24 subnet


```

**Profile ID**

Refers to the [Device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) a device is using. In this example, the ID is `000000x1-00x1-1xx0-1xx1-11101x1axx11`.

```

Profile ID: 000000x1-00x1-1xx0-1xx1-11101x1axx11


```

## 4\. Fix common misconfigurations

To verify that the Cloudflare One Client is configured and working properly, review the following:

1. Is the [wrong profile ID](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#edit-your-device-profile-match-rules) applied to the device?
2. Is the [wrong split tunnel configuration](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/#wrong-split-tunnel-configuration) active on the device?

### Wrong profile ID

A profile ID is a unique identifier assigned to each [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) in the Cloudflare One dashboard, used to determine which configuration settings apply to a device.

#### Check the applied device profile

To check that the applied device profile is the intended device profile:

1. Go to [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> **Team & Resources** \> **Devices** \> **Device profiles** \> **General profiles**.
2. Find and select the device profile intended for the device.
3. Under **Profile details**, compare the displayed **Profile ID** with the `Profile ID` in the `warp-settings.txt` file.

If your organization has multiple device profiles defined in the Cloudflare One dashboard, a device may be matched to an unexpected profile because:

* How [profile precedence](#review-profile-precedence) is configured.
* [Managed network](#review-your-managed-network-settings) issues (if you are using a managed network.)
* User group [mismatch](#check-a-users-group-membership).
* Lack of [precise match rules](#edit-your-device-profile-match-rules).

#### Review profile precedence

The Cloudflare One Client evaluates device profiles dynamically based on a hierarchy. When a device connects, the client checks the profiles from top to bottom as they appear in the dashboard. The client follows the first match principle — once a device matches a profile, the client stops evaluating and no subsequent profiles can override the decision.

The **Default** profile is always at the bottom of the list. It will only be applied if the device does not meet the criteria of any profile listed above it. If you make another custom profile the default, all settings will be copied over into the **Default** profile.

Administrators can create multiple profiles to apply different settings based on specific criteria such as user identity, location, or operating system. Understanding this top-to-bottom evaluation order is crucial for ensuring that the correct policies are applied to devices.

Warning

Avoid [reordering profiles](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/#order-of-precedence) unless you are confident it will not affect other users.

#### Review your managed network settings

A [managed network](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/managed-networks/) is a network location that you define with a TLS endpoint, like a physical office. The Cloudflare One Client checks for this TLS endpoint to determine its location and apply the corresponding device profile.

If the managed network is misconfigured or the TLS endpoint is unreachable, the device may fall back to an unintended profile.

When troubleshooting the Cloudflare One Client for managed network issues:

1. Verify the endpoint is reachable.  
The Cloudflare One Client connects to the TLS endpoint to identify the network. If the endpoint is down or unreachable, the Cloudflare One Client will fail to detect the network and apply the wrong profile.  
To test connectivity and obtain the SHA-256 fingerprint of a remote server:  
Terminal window  
```  
openssl s_client -connect <private-server-IP>:443 < /dev/null 2> /dev/null | openssl x509 -noout -fingerprint -sha256 | tr -d :  
```  
The output will look something like:  
```  
SHA256 Fingerprint=DD4F4806C57A5BBAF1AA5B080F0541DA75DB468D0A1FE731310149500CCD8662  
```  
If the endpoint is down, you will receive a `Could not find certificate from <stdin>` response.  
If you received a returned SHA-256 fingerprint:  
   1. Log into [Cloudflare One ↗](https://one.dash.cloudflare.com/), and go to **Team & Resources** \> **Devices** \> **Device profiles**.  
   2. Go to **Managed networks** \> **Edit**.  
   3. Compare the TLS Cert SHA-256 in the dashboard with the returned fingerprint in your terminal to ensure they match.
2. Use a single profile for a single location.  
To simplify management and prevent errors, avoid creating multiple managed network profiles for the same location. For example, if you have multiple TLS endpoints in one office, link them all to a single device profile. This reduces the risk of a device matching an unintended profile due to a configuration error.

#### Check a user's group membership

If a user is having issues with a device profile, it may be because they are not part of the correct user group. This can happen when an organization is not using SCIM for automatic identity provider (IdP) updates.

To check that the user belongs to the intended group:

1. Log into [Cloudflare One ↗](https://one.dash.cloudflare.com/) \> go to **Team & Resources** \> **Devices** \> **Your devices**.
2. Select the user.
3. Under **User Registry Identity**, select the user's name.
4. The **Get-identity endpoint** lists all the groups the user belongs to.

If the user was recently added to a group, they will need to update their group membership with Cloudflare Zero Trust. This can be accomplished by logging into the reauthenticate endpoint.

To manually refresh your Cloudflare Access session and update your group information from your identity provider (IdP), go to the following URL in your browser and fill in your [team name](https://developers.cloudflare.com/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name):

`https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/refresh-identity`

Reauthenticating resets your [session duration](https://developers.cloudflare.com/cloudflare-one/access-controls/access-settings/session-management/) and fetches the latest group information from the organization's IdP.

#### Edit your device profile match rules

To modify the match rules of a device profile, you will need to edit the device profile. To edit the device profile:

1. In [Cloudflare One ↗](https://one.dash.cloudflare.com), go to **Team & Resources** \> **Devices** \> **Device profiles** \> **General profiles**.
2. Locate the [device profile](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/) you would like to update and select **Configure**.
3. Use [selectors](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/device-profiles/#selectors) to add or adjust match rules, and modify [device client settings](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#device-settings) for this profile as needed.  
Note  
Changing any of the settings below will cause the client connection to restart. The user may experience a brief period of connectivity loss while the new settings are being applied.  
   * [Service mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#service-mode)  
   * [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#local-domain-fallback)  
   * [Split Tunnels](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#split-tunnels)
4. Select **Save profile**.

It may take up to 10 minutes for newly updated settings to propagate to devices.

Note

Identity-based selectors are only available if the user [enrolled the device](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/manual-deployment/) by logging in to an identity provider (IdP).

### Wrong split tunnel configuration

Split Tunnels can be configured to exclude or include IP addresses or domains from going through the Cloudflare One Client (formerly WARP). This feature is commonly used to run the Cloudflare One Client alongside a VPN (in Exclude mode) or to provide access to a specific private network (in Include mode).

Warning

Split Tunnels only impacts the flow of IP traffic. DNS requests are still resolved by Gateway and subject to DNS policies unless you add the domains to your [Local Domain Fallback](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/) configuration.

Because Split Tunnels controls what Gateway has visibility on at the network level, we recommend testing all changes before rolling out updates to end users.

A misconfigured [split tunnel](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/split-tunnels/) can cause connectivity issues.

For example, if you set your mode to Exclude IPs and domains and accidentally exclude an IP address needed by an application, that application may not work correctly. Similarly, in Include IPs and domains mode, forgetting to include a necessary IP or domain will cause traffic to bypass the Cloudflare One Client, and you will lose access to your Zero Trust security features.

#### 1\. Check the applied split tunnel configuration

After downloading the client diagnostic logs, review that your configuration is working as intended:

1. Open the `warp-settings.txt` file and find `Exclude mode, with hosts/ips:` or `Include mode, with hosts/ips:`.  
Exclude mode versus Include mode  
`Exclude mode` means all traffic will be sent through the WARP tunnel except for the IPs and domains you specify.  
`Include mode` means only traffic destined to the IPs or domains you specify will be sent through the WARP tunnel.
2. Log into [Cloudflare One ↗](https://one.dash.cloudflare.com/), go to **Team & Resources** \> **Devices** \> **Device profiles** \> **General profiles**.
3. Find and select the device profile intended for the device.
4. Select **Edit**.
5. Find **Split Tunnels** and note the mode you have selected > select **Manage**.
6. Cross-reference the IPs/hosts you have configured in the Cloudflare One dashboard with the IPs/hosts listed in `warp-settings.txt`.

If your dashboard split tunnel configuration does not match your `warp-settings.txt` file configuration, you may need to force the Cloudflare One Client to [update its settings](#update-the-cloudflare-one-clients-settings).

#### 2\. Update the Cloudflare One Client's settings

If the split tunnel configuration in `warp-settings.txt` does not match the dashboard, you can force the Cloudflare One Client to fetch the latest settings.

This can be done by instructing the end user to [disconnect and reconnect the client](#option-a-disconnect-and-reconnect-the-client), or [reset their encryption keys](#option-b-reset-the-encryption-keys).

Both methods update the client with the latest configuration.

**Option A: Disconnect and reconnect the client**

* [ Version 2026.2+ ](#tab-panel-5928)
* [ Version 2026.1 and earlier ](#tab-panel-5929)

1. On the end user device, open the Cloudflare One Client and select **Disconnect**.

What if the end user cannot disconnect?

If the end user does not see the [disconnect button](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-device-client-switch), they will need to enter an [admin override code](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes).

[Resetting the encryption keys](#option-b-reset-the-encryption-keys) may be a faster solution.

1. Select **Connect**.

1. On the end user device, open the Cloudflare One Client and disconnect.

What if the end user cannot disconnect?

If the end user's [connection toggle](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#lock-device-client-switch) is locked, they will need an [admin override code](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#allow-admin-override-codes) to be able to disconnect.

[Resetting the encryption keys](#option-b-reset-the-encryption-keys) may be a faster solution.

1. Reconnect the Cloudflare One Client.

The client will fetch new settings when it reconnects.

**Option B: Reset the encryption keys**

To reset the encryption keys on an end user's desktop:

* [ Version 2026.2+ ](#tab-panel-5933)
* [ Version 2026.1 and earlier ](#tab-panel-5934)

1. Open the Cloudflare One Client on your device.
2. Go to **Connectivity** \> **Encryption keys**
3. Select **Reset keys**.

1. Open the Cloudflare One Client GUI on your device.
2. Select the gear icon > **Preferences** \> **Connection**.
3. Select **Reset Encryption Keys**.

Resetting the encryption keys forces the client to reestablish its tunnel and retrieve the latest configuration.

## 5\. Get help

For the fastest possible troubleshooting, ensure your support ticket includes comprehensive details. The more context you provide, the faster your issue can be identified and resolved.

To ensure efficient resolution when [contacting support](https://developers.cloudflare.com/support/contacting-cloudflare-support/), include as much relevant detail as possible in your ticket:

* Context: Briefly describe the scenario or use case (for example, where the user was, what they were trying to do).
* Reproduction steps: Describe the steps you took to reproduce the issue during troubleshhooting.
* Timestamps: Be specific and include the exact time and time zone when the issue occurred.
* Troubleshooting attempts: Outline any troubleshooting steps or changes already attempted to resolve the issue.
* Client diagnostics logs: Include the client diagnostics you downloaded from the dashboard or through the CLI.

Write a detailed ticket to resolve your issue faster

Avoid vague descriptions and include scenario, timestamps, and steps taken to troubleshoot the issue. Refer to the following example:

Karen was on a train on July 17, 2025, at approximately 1:00 PM Central Time. She attempted to connect to a captive portal but received the following error message in Chrome: `ERR_CONNECTION_RESET`. A warp diag was collected immediately after and is attached.

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/team-and-resources/","name":"Team and resources"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/team-and-resources/devices/","name":"Devices"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/","name":"Cloudflare One Client"}},{"@type":"ListItem","position":6,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/","name":"Troubleshoot the Cloudflare One Client"}},{"@type":"ListItem","position":7,"item":{"@id":"/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/troubleshooting-guide/","name":"Cloudflare One Client troubleshooting guide"}}]}
```