Cloudflare require gateway is not working

Could anyone please tell me the issue. I have setup a Application with require gateway and i am using warp client on android but i am getting forbidden.

Do i require to put the doh subdomain in warp client?

I think it’s the chrome.

The rule is working and when i disconnect the warp, i am getting forbidden but when reconnect and refresh the page i am still getting forbidden. It’s not the case with firefox. I don’t what it is, is it cache?

When i go through this link https://www.example.com/cdn-cgi/trace

In incognito mode i get gateway=on but in normal mode it says gateway=off, :expressionless:

Hi there!

Could you please confirm if the warp is in Gateway mode and not in DoH mode?
Irrespective of incognito mode or not, when Warp is enabled and you have proxy toggle enabled in your team dashboad, it should show gateway=on

1 Like

@Sheril_Nagoor appreciate your response

I use android

The proxy is even on

I even cleared data of both chrome and warp client. One thing I noticed that when i sign in using Google account after clearing cache the issue start appearing

Update: my root domain shows gateway is on while my subdomain shows gateway is off. 🤷🤷😿

The issue is due to HTTP3 QUIC enabled in chrome, i disabled it and it’s working. Also does warp support TLS 1.3 because i see only TLS 1.2

Thanks! the settings looks good. If the “require gateway” isn’t working it is probably that the warp isn’t aware of device posture rules/ it is not getting the settings. Please correct me, did you mention that it works fine with Firefox?

We may need to check the complete logs to understand what is going on in this case. Can you please open a ticket with us and share the warp logs?

Does this work on your laptop/desktop?

1 Like

While I am using free plan can I make a ticket,

It’s set correctly, i am using Firefox on android

Warp logs @Sheril_Nagoor

I guess the issue is with HTTP3

Thanks for sharing the logs, I have gone through the logs and couldn’t find anything obvious that could be causing this issue. The logs says that you have logged into your org and is in Warp mode and a tunnel has been established successfully.
I have tested this on my Android device and the require gateway rule works fine and as expected. Could you please review your Access rules? You would be having an include rule and a require rule which is “require Gateway”; could you please check if you are using same user ID that is allowed/mentioned in the Include rule?

It was due to http 3 in my chrome browser so I disabled it and it works. Ypu can just enable http 3 on android chrome and see how it goes. When will cloudflare support http 3

Same issue here. /cdn-cgi/trace shows that warp & gateway are ‘off’ when over http/3. If I disable quic in Chrome it drops down to http/2 and works. The only requirement I have is to require gateway connection in Teams. I have UDP proxy enabled also.

1 Like

Does anyone have a solution for this? I have exactly the same problem. When I check my connection with cloudflare.com/cdn-cgi/trace/ I get one of two results:

  • Protocol is HTTP/2 and gateway is on
  • Protocol is HTTP/3 and gateway is off

The switch between either happens when I change network (or from/to mobile) but http/2 always is temporary for a few minutes.

When the gateway shows as off, the rule “require gateway” is not working, but “require warp” is.

For my tests I am using an iPhone with the default Safari on default settings. So I’m not really sure the phone is actually using http/3, I am seeing the issues in apps as well.

@Sheril_Nagoor any information I can provide you with to get to a solution? I am testing this on a free account to prepare for a potential company-wide implementation. But this is a blocking issue.

Could you try disabling quic/HTTP3 on your browser and test to see if that gets it working?

@Sheril_Nagoor I have never switched this on… But I see this behabiour consisitently on multiple iOS clients with Chrome, Safari and http-based apps. I checked in the experimental settings of Safari and http/3 is switched off.

Again, the weird thing is that after switching network or renewing the encryption keys is (usually) works for a few minutes and then falls back to “gateway=off” and “warp=plus”. To be honest I doubt the client is actually using http/3 but maybe there is some of the iOS privacy settings interfering.

The rules work for both Windows and osx clients, so that is not the problem.

This issue is expected when the traffic uses HTTP/3, the gateway will bypass it, hence the rule “require gateway” won’t work. This will be supported by Q2/Q3. Meanwhile, to confirm if you are using HTTP/3 or not, please check the header trace or visit https://cloudflare-quic.com/

Is there a way to disable HTTP/3 on our domain? We use a Cloudflare Tunnel to an internal service, which is accessed through Cloudflare Access. Will disabling HTTP/3 on the dash of of my Cloudflare “website” (https://dash.cloudflare.com/) also disable it for Cloudflare Zero Trust applications accessed through that domain?

UPDATE: can confirm this works. So restriciting the Cloudflare domain one uses to access internal applications to HTTP/2 solves the incompatibility with gateway. Would have been very helpful if this was documented somewhere, I have not found a single reference to this issue - or the solution.

1 Like

@Sheril_Nagoor
I don’t have HTTP/3 enabled and I did even disabled it on my domain, however the Gateway and Warp rules aren’t working.

I tested on MacOS, Windows, Linux and Android, the same behavior was happening in all those 4.

https://cloudflare-quic.com - Reports HTTP/2 (I was only able to force HTTP/3 by forcing it in the chrome flags)

I did a post which contains screenshots and more details of my setup