Error 521 Horror - losing $1 000 000 per hour

Sorry, the subject drama was in hopes of getting attention …

I keep getting Error 521 and am at the end of my witts on troubleshooting it and believe that the problem lies with cloudflare.

Fresh install of cyberpanel on centos7 on VPS with OVH ip address.

Domain resolves fine to webserver with non CF dns.

Move domain to CF dns and get a Error 521.

  • have added CF IPs to CSF allow
  • have disabled CSF
  • have enabled dev mode on CF
  • have paused CF on the site
  • no connection records in CF firewall events
  • no connections records in CP/CSF

The requests seem to hit the CF network and blackhole.

Move domain off of CF dns and it resolves to webserver fine.

Any suggestions?

Problem seem to be with CF?

Are you saying if you Pause Cloudflare, your site still doesn’t work? When Cloudflare is paused from the Overview screen, it’s just straight DNS, and then direct connections to your server.

If that’s the case, then your DNS records here are not correct.

p.s. If my diagnosis is correct, I’d like .1% of your hourly revenue for the next 6 hours.


Yes, when I pause CF no change; but it is still through the CF network isn’t it?

DNS records are simple, two lines: A record and cname for www and the problem exists across a number of domains, with same results.

Keep in mind that it takes 5 minutes for Pause Cloudflare to take effect due to DNS TTL.

Keep in mind that it takes 5 minutes for Pause Cloudflare to take effect due to DNS TTL.

Thanks, yah good point I will try that again.

If not going to create a fresh account and see if it is account related.

That shouldn’t make a difference. If Pausing doesn’t shed any light on the issue, post the domain name so we can test it.

1 Like

OK, so pausing on CF allows the domain to resolve, going back again results in the 521 error.

There seems to be something more going on here, perhaps associated with the IP address?

I have other domains pointing to two other IP addresses and no issues elsewhere.

Take the domain off of CF and all is fine; I am down to a single A record which is correct.

I did also move to a new CF account and exactly the same result.

Does CF block IP address if they are dirty?

The IP address in question is currently listed on three blacklists: Level 3 UCEprotect (which comes with it’s own reputation) and two at Barracuda Central which going from memory just piggy backs off of UCEprotect.

I’m not sure which IP address you’re talking about. If it’s the public IP address, that doesn’t come to play at the server end. The general rule of thumb is that 5xx errors are due to a connection error between the server and Cloudflare.

A 521 error happens when Cloudflare is unable to make a TCP connection to your origin server. Review the suggestions in this Community Tip for Quick Fix Ideas. This often requires assistance from the web host.

VPS IP address; I am the webhost.

But again, non cloudflare dns and it resolves to the same port on the same ip just fine.

Right, but the difference is that it’s now Cloudflare IP addresses trying to connect to your server. It might be something upstream in the datacenter that’s not letting Cloudflare connect.

You can probably open a ticket and an engineer may try to connect to your server from a Cloudflare IP address to test it.

While you’re waiting, and if you have the site proxied, you can try a global test to see if any Cloudflare IP addresses can connect. Something like should be a good test, as it’s roughly 20 geographically dispersed servers connecting to your site.

My ip address came off of two of the rbls and my mysterious 521 problem seems to have completely disappeared.

So I will say that it looks like CF blocks dirty ip addresses; it would be wonderful if CF developed an applicable error code if this is in fact true!

Which IP address? Home? Origin server? Cloudflare’s public addresses for your site?

public VPS address

The public addresses have been popping up on RBLs, but I don’t see how it could possibly circle around and cause a problem with Cloudflare using its private IP addresses to connect to your server. But I’m glad it worked itself out.

Had similar issues in the past with Neostrada. Although on my own server all was fine, they were dropping TCP/IP connections coming from various Cloudflare servers to their whole network.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.