Gateway device posture check not work

Hello,

I’m having a problem with not working “Gateway” device posture check. Despite it’s added in “WARP Client” settings:

“WARP client posture checks” section in my device’s page is empty (there is an information “No results… yet! Results will appear here once conditions are met.”).

When I’m visiting https://cloudflare.com/cdn-cgi/trace I’m getting response confirming that WARP and gateway is “on”:

fl=...
h=cloudflare.com
ip=...
ts=...
visit_scheme=https
uag=Mozilla/5.0 (Linux; Android 12; SM-G781B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36
colo=...
sliver=none
http=http/2
loc=...
tls=TLSv1.3
sni=plaintext
warp=on
gateway=on
kex=X25519

But when visiting /cdn-cgi/trace endpoint on my page it shows that WARP and gateway is “off”:

fl=...
h=...
ip=...
ts=...
visit_scheme=https
uag=Mozilla/5.0 (Linux; Android 12; SM-G781B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Mobile Safari/537.36
colo=...
sliver=none
http=http/2
loc=...
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
kex=X25519

What’s interesting, it worked flawlessly for few months and suddenly stopped at the beginning of October. I’ve already read on some other similar topics and followed its suggestions such as deleting and readding posture checks, reinstalling 1.1.1.1 application, disabling HTTP/3 and enabling TLS decryption - unfortunately nothing had worked. It looks like from some strange reason my site doesn’t see that the call is coming from the device with gateway. Do you have any ideas?

2 Likes

Same issue here. It worked for weeks and now it suddenly stops. I can confirm that “mydomain.com/cdn-cgi/trace” shows also “gateway/warp=off”.

Issue is on Windows and Android devices, using latest version of Warp/1.1.1.1-client.

Posture device checks other than WARP and Gateway are processed and passing (like OS-Version check). But the don’t are also ignored on the access/application-rule.

Status on https://help.teams.cloudflare.com/ is “fully protected” - everything is green and checked.

2 Likes

Just noticed. I having a second domain in my Cloudflare account. On this domain I do not use any zero trust features (Access, Gateway), just the DNS service.

On this second domain the /cdn-cgi/trace endpoint also reports warp and gateway are both off. (Warp client is running of course)

Beside that, I have another independent Cloudflare account. No zero trust features are enabled (aka no free plan). The /cdn-cgi/trace endpoint here reports warp/gateway=on!

What’s happening here?

2 Likes

I am facing a similar issue in my setup but under different circumstances. For instance, I have multiple endpoints that require Gateway device posture which work well when they are accessed from Belgium (where I live). However, when I tried accessing the same endpoints the next day from another country I received 403 Forbidden from Cloudflare. There is no Gateway Network or Application Policy to enforce a specific Geolocation. This is an abnormal behaviour since with the exact same setup I was able accessing my endpoints from the same country (where now I have this issue) a month or two ago.

As a result of debugging in the country where the endpoints are not working, similarly to @RasAI, when I debug on Cloudflare endpoint with /cdn-cgi/trace everything is fine, warp/gateway=on. When I debug on one of my endpoints with /cdn-cgi/trace, the result is warp/gateway=off.

Seems to be a real issue faced by others too.

2 Likes

@karol @RasAl , I raised this issue on Cloudflare’s Discord on the general group. You may want to join the discussion on discord to bring your input on this issue.

2 Likes

Great! What’s the name/URL of the discord server?
Is it Cloudflared Dev?https://discord.com/cloudflaredev

…couldn’t find it out in the last few days.

I also wrote on Cloudflare 's reddit sub, where another user reported the same issue. Without success.

1 Like

The url is https://discord.com/invite/cloudflaredev

1 Like

Having the same issues!

https://cloudflare.com/cdn-cgi/trace shows warp=off gateway=off
https://help.teams.cloudflare.com/agrees and prompts me to install warp even though it is running.

Please update if anyone finds a resolution elsewhere (Discord, Reddit, etc.)

2 Likes

@justins210 please post your issue on discord and mention user “@secret”.

The more people report the same problem, the higher the chances are that it will be solved by CF.

In my case, I concluded that the issue is related to DNS. For Romania, the subdomain resolves to a different IP address (starting with 188.) than the expected ones (starting with 104.). For Belgium, everything is normal resolving to the expected IP.

Would be nice to have this debugged on your side too. Can you please execute the following and share the results on this thread?

dig <subdomain.example.com> +short
1 Like

@bow interesting!
On my “faulty” domains I got IPs starting both with 188.

On my working domain it’s IPs starting with 104. and 172.

1 Like

Weird, my non-working domain prints 104 and 172.

@RasAI, indeed, I am experiencing the same. It is possible to share the faulty domain with me for further checks? You can direct message me on Discord if you want.

Then in your case @justins210, the issue is very likely to be related to a misconfiguration

@bow I can confirm that on my non-working domain IPs also resolves to the one starting with 188.

Correct me if I’m wrong but wouldn’t the lack of gateway/warp=on when visiting https://cloudflare.com/cdn-cgi/trace indicate an issue with the warp client? In my case this seems independent of my specific domain.

I followed the instructions here ‘Require WARP · Cloudflare Zero Trust docs’ is there anything else I can do to diagnose my config?

Just to bring my input, I have the same issue on one of my domain one month ago.
I recreated the application on a other domain in same CF account.
gateway bypass policy (same as the first one).
It works perfectly fine, that is weird.

1 Like

What IP (1st octet) has your not working domain?

188 same as yours.
172 and 104 for the working domain.

I was told that an internal ticket was created for this specific issue. Cloudflare has it in their backlog now, hopefully will be fixed soon.

3 Likes