Common issues
This section covers the most common issues you might encounter as you deploy the WARP client in your organization, or turn on new features that interact with the client. If you do not see your issue listed below, refer to the troubleshooting FAQ or contact Cloudflare Support.
If WARP is stuck in the Disconnected
state or frequently changes between Connected
and Disconnected
, this indicates that the client cannot establish a connection to Cloudflare's global network.
In your WARP debug logs, daemon.log
will typically show one or more of the following errors:
-
Happy Eyeball checks failing:
-
Many other checks timing out:
Here are the most common reasons why this issue occurs:
A third-party service (such as a hardware or software firewall, router, MDM/group policy configuration, or other networking interface) may have a security policy in place which blocks WARP from connecting.
Configure the third-party service to exempt the IP addresses required by WARP.
The most common places we see interference with WARP from VPNs are:
-
Control of traffic routing: In
daemon.log
, you will see a large number of routing table changes. For example,This indicates that a third-party VPN is fighting WARP for control over the routing table.
-
Control of DNS: In
daemon.log
, you will see a large number of DNS changes followed by this warning:The daemon may also note that some other process has already bound to the UDP and TCP sockets:
To confirm that the VPN is the source of the issue, temporarily uninstall (not disable or disconnect) the VPN.
- Disable all DNS enforcement on the VPN. WARP must be the last client to touch the primary and secondary DNS server on the default interface.
- In Zero Trust ↗, create a Split Tunnel rule to exclude the VPN server you are connecting to (for example,
vpnserver.3rdpartyvpn.example.com
). - Configure your VPN to only include routes to your internal resources. Make sure that the VPN routes do not overlap with the routes included in the WARP tunnel.
For more information, refer to our guide for running VPNs alongside the WARP client.
Some countries explicitly block the use of VPN or VPN-like software that intentionally encrypts traffic. These blocks are often inconsistently enforced and you may sometimes see successful connections.
If you suspect your country may be blocking WARP traffic, contact your ISP to verify.
WARP cannot parse resolv.conf
files which contain an invalid hostname. In daemon.log
, you will see an unrecognized char
warning:
- Open the
/etc/resolv.conf
file on your device. - In the
search
directives, check for invalid URL characters such as!@#$%^&*()<>?
. - Remove the invalid lines and rely on WARP and Gateway for DNS services.
If WARP shows as Connected
but you cannot reach any websites or internal resources, this is likely due to one of the following configuration issues.
A misconfigured Gateway firewall policy can result in traffic to some or all sites being restricted.
- In Zero Trust ↗, go to Gateway > Firewall Policies.
- Disable all DNS, Network, and HTTP policies and see if the issue persists. It may take up to two minutes for the change to take effect. Note that all policy enforcement happens on the Cloudflare global network, not on your local device.
- Slowly re-enable your policies. Once you have narrowed down the issue, modify the policies or their order of enforcement.
Installing and trusting a root CA is a necessary step to enable advanced security features such as Browser Isolation, TLS decryption, AV scanning, and device posture.
If the root CA is not installed on the device, you will see untrusted certificate warnings on every website. Example warnings include Certificate not trusted
, Not trusted identity
or SSL Error
.
Install a Cloudflare certificate on all of your devices, or upload your own certificate to Cloudflare.
WARP does not allow third-party DLP or proxy services to perform TLS decryption on traffic sent to Gateway.
To diagnose the issue, go to https://zero-trust-client.cloudflareclient.com/v0/client_config
and verify the certificate the HTTPS traffic is signed with. If the certificate is issued by your organization or a third-party service, the third-party service is performing TLS decryption on WARP traffic and re-signing with a certificate that we do not trust.
In the third-party security product, disable HTTPS inspection and TLS decryption for the WARP IP addresses.
If you are using WARP and running a CI/CD pipeline inside a Docker container on Microsoft hardware to provide GitHub Actions with an egress IP, your container's /etc/resolv.conf
file might be injecting a custom nameserver with the IP address 168.63.129.16
↗ (specific to Azure infrastructure.)
The 168.63.129.16
IP address is only accessible to Azure VMs and causes the container's traffic to fail when routed through the Cloudflare WARP tunnel.
To fix this issue, you must exclude the Azure-specific nameserver IP (168.63.129.16
) from being routed through WARP tunnel. Refer to Split Tunnels and follow the instructions to exclude the Azure-specific IP.
Below are the most common reasons why turning on WARP blocks a specific application from loading.
Some applications do not support SSL inspection or are otherwise incompatible with TLS decryption. Gateway provides a list of applications known to perform certificate pinning.
Applications such as Firefox, Docker, Python, and npm rely on their own certificate store and the Cloudflare root certificate must be trusted in each.
Refer to our instructions for adding a root certificate to common applications. For applications not on our list, try searching the Internet for <app-name> proxy support
or <app-name> proxy certificate
.
If you cannot install the certificate on the application, create a Do Not Inspect policy to exclude the application from Gateway inspection.
You may have a Gateway DNS, Network, or HTTP in place that accidentally blocks a port, IP, or domain that the app or site relies on.
- In Zero Trust ↗, go to Gateway > Firewall Policies.
- Disable all DNS, Network, and HTTP policies and see if the issue persists. It may take up to two minutes for the change to take effect. Note that all policy enforcement happens on the Cloudflare global network, not on your local device.
- Slowly re-enable your policies. Once you have narrowed down the issue, modify the policies or their order of enforcement.
Some applications require traffic to flow either all inside or all outside of the WARP tunnel. For instance, in order to use AirDrop or communicate with a local printer, traffic must be outside the tunnel. For applications like Microsoft Teams to function properly, all Microsoft Teams traffic must be either fully inside the tunnel or fully outside the tunnel.
- Determine the IP addresses and/or domains required for your application to function. Common Internet search terms include
<app-name> split tunnel list
,<app-name> allow list
, or<app-name> firewall ips
. - In Zero Trust ↗, go to your Split Tunnel settings.
- Depending on the application, either include or exclude all of the necessary IPs and/or domains. For Microsoft applications, we provide a one-click action to exclude all Microsoft 365 IPs.