For Re-authenticate, the WARP will invoke web browser page in default browser and goto h_t_t_ps:// team- .cloudflareaccess . com/cdn-cgi/access/refresh-identity and then page will be redirected to h_t_t_ps:// team- .cloudflareaccess . com/cdn-cgi/access/login/.cloudflareaccess.com?kid=token
However, my browser is configured a Zscaler PAC file. So the Cloudflare website will return “Error: Please enable WARP” for refresh-identity, even WARP is already enabled. If I disable this PAC file setting prior to the Re-authenticate, I can see the URL redirection and I can see One-Time PIN login window.
With PAC file enabled, my web browser source IP is one Internet IP of the Zscaler service. I think it is why it is not recognized by Cloudflare. It is not as same as the source IP of my active WARP client. This Zscaler IP is not associated with my WARP client session so Cloudflare thinks WARP is not enabled.
With PAC file is disabled, my web browser source IP as same as the source IP of my WARP client. It is assocaited with my current active WARP client sesssion.
The Re-Authentication only use h_t_t_ps:// team- name. cloudflareaccess .com/cdn-cgi/access/refresh-identity without any token so Cloudflare can only use HTTP GET source IP to tell if WARP is enabled?
I have already included *.cloudflareaccess.com in the Split-Tunnel setting.
My workaround is to use browser extention to switch PAC during Re-authenticate. I would like to know if it is the case and if this issue can be solved.
Thanks.