"cloudflared access login" works but returns timeout error

Bit of an odd one, but I’ve been testing Cloudflare Access to see if it’d be appropriate for accomplishing multi-factor authentication for our Remote Desktop Gateway. I can get it work just fine, but the problem I’m having is that when authenticating using the command “cloudflared access login ”, after successfully obtaining a token and challenging for credentials (if required), it returns the error:

2022-08-17T22:49:02Z ERR Could not verify token error="Get \"https://test-gateway.xxxx.com\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
Get "https://test-gateway.xxxx.com": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

Despite the error, I’m able to establish the tunnel by running cloudflared access tcp --hostname xxxx --url xxxx

Before I report this as a bug, I wanted to see if anyone else can replicate this. I’ve tried on Window 11 and Windows 10, both within the corporate network and at home. I’ve also tried recreating the application entry, renaming it, creating a new tunnel service, etc. Same result every time. The only time it’s worked without the error was when I had the Cloudflare Warp client installed, but that shouldn’t be a requirement.

Note, if I run cloudflared access tcp --hostname xxxx --url xxxx without first running the login command, it’ll throw the browser window up for authentication if required and it’ll all work without the error, it’s just I’d prefer, for the sake of making it easier and more intuitive for end users, to run the login command first and get the login step out of the way. I’d just rather not have error come up every time making it look like something went wrong.

I appear to have fixed it. It ended up being on the tunnel service end; the box I installed the tunnel on. I went looking for logs and while doing so I saw “Cloudflare.exe.new” sitting in the install directory “C:\Program Files (x86)\cloudflared” which was a week newer than “cloudflared.exe”. I killed the service, deleted “cloudflared.exe” and renamed “cloudflared.exe.new” to “cloudlfared.exe” before restarting the service.

Now the token is retrieved and output without the error message. So clearly the “update” command did something along the way. Odd.

Problem still exists. It seems that when the tunnel service is stopped, it returns a token without generating the error. As soon as the tunnel service is started again, I get the error. Really odd.