Error 523 but monitor says healthy

Hi, I am getting an error 523 when hitting my site (which is a backup pool that I forced traffic too) and the error appears and no webpage. The odd thing is that server passes the health check and shows healthy , but won’t display.

I am running ACL rules on my side because other sites on that server were DDoS’d, . Now when I disable all ACL rules, the site shows up perfectly. I added the lisited IP ranges you post for CF as well. Odd why it passes a health check but can’t actually display. And ideas?

Hi there,

This is a tough one to answer without looking at the specific domain and situation, but I immediately am thinking its one of these things:

  • Your health check monitor is checking something different to where you are routing your requests for your DNS records
  • There is different behaviour from one of the Cloudflare IP addresses that are used for healthcheck probes compared to the IP’s that are connecting to to your origin server.

Its difficult to say without doing some checks, if you happy to share your domain here - I can take a look at give you some high level advice here without being specific. If you would like specifics, there may be a need to move this to a support ticket.

Hope this helps
regards,

Thanks Damian,

The site is a personal site I am using as a test for other business sites that are using failover that I set up in CF. The issue is actually happening with the failover pool’s server. I currently have the site, salvatoreverini dot com failed over to the box that is giving the issue. Any help would be greatly appreciated!! Thank you!!

Damian,

So we have been playing with some ACL rules on our firewall and sometimes it works sometimes it doesnt. When it does work the page takes forever to load. I thin kwe’re missing something in our ACL or partially blockingsomething??

This is very possible - A 523 means that we are seeing a no route to host - normally this is caused by network connectivity between Cloudflare and your origin (eg. a routing loop) but it can also be caused by some ACL/Security devices that return this response when someone tries to connect.

Ensuring that you have our Cloudflare IPs - IP Ranges - Allow listed on any ACL/Security devices and that our IPs are blocked or rate-limited in anyway is important to avoid this.

So those IP’s were always in the ACL list though. That’s what is odd. If you go to the site now, you will see it does not display.

Are you able to share the domain name? - I may be missing it, but I cant see it anywhere in the posts.

sure. it is salvatoreverini com

also there is no SSL (or port 443) active on that site. Does that matter?

That should not matter in this case.

I’ve done testing using our internal tooling and looking at some internal data - there are some locations that we are seeing 523’s for your site.

I’ve tested from one of those Cloudflare datacenters and we see this when trying to connect to your server.

Source IP: 172.70.82.39
nc: connect to xxx.xxx.xxx.xxx port 80 (tcp) timed out: Operation now in progress

Source IP: 172.70.82.38
nc: connect to xxx.xxx.xxx.xxx port 80 (tcp) failed: No route to host
[exit code 1]

I’ve censored the IP because we are talking in a public forum, but you can see we are having connectivity issues trying to reach your origin server from our IPs, we are seeing an ‘Operation now in progress timed out’ which would result in a 522 error and the other we are seeing ‘No route to host’ which is causing the 523s.

I’d recommend reaching out to your host here to see what could be happening, maybe there is some security device at their perimeter that could be causing this behavior and would need to be investigated there.

Thank you!. I’ll forward this to the person who controls the ACL and let you know what we find.

I believed we got it. We looked more into the ACL as stated and found there was an incorrect subnet was entered. Once corrected, it seems to work well :slight_smile: Thank you again!!