Small number of customers can't connect to site proxied via Cloudflare

Hello,

We’ve recently moved our assets (js, css, fonts…) to a separate domain that is hosted in Proxy mode via Cloudflare. Files are stored on S3. Since we’ve done this switch everything works ok for majority of customers, but we’ve received complaints from couple of customers, that can’t connect.

In what they shared it looks like they are getting timeout from assets subdomain. So the flow is website is served on site.example.com and assets are on assets.example.com. They connect successfully to site.example.com but they receive “net::ERR_CONNECTION_TIMED_OUT” when loading assets from assets.example.com. What seems to help is to try different connection. In e.g switching to mobile phone, makes it work. So looks like some specific ISPs causes the issue.

I guess it is possible that either those ISP blocks Cloudflare for some reason or Cloudflare blocks incoming traffic from the ISP.

Any ideas what could be causing this?

Thanks,
Mateusz

Hi there,

Your theories could definitely be possible.

The connection timed out suggests that they are not able to establish a connection with our edge and could be down to a network issue or ISP/Government blocking.

  • Is there any pattern to the reports you are receiving from customers? (eg. country/ISP that they are browsing from)

  • Are they able to browse other sites on Cloudflare?

  • Are they able to do a traceroute/MTR to your assets.examples.com to see what the network route looks like?

These are some of the things that would help narrow the scope of what this could be.

Hope this helps!

Hi Damian,

Thanks for getting back to me.

Is there any pattern to the reports

We have very small sample of those customers to see patterns yet. Small sample suggests it is a rare problem, but still we need to find a way to solve it for them.

One customer did seem to nail it down to single ISP in a room they are renting. ISP is G.Network in London. They confirmed that while on netowrk that goes via that ISP they can’t connect and when they switch to mobile network it works fine.

Are they able to browse other sites on Cloudflare?

Good thinking. What would be the best site to test? Simply cloudflare.com?

Are they able to do a traceroute/MTR

I thought that would be too technical to ask customers to do, but I guess there are some online MTR tools. Will check it out.

As you know it is not easy to debug with customer hands, as sometimes you need to wait multiple days for the reply.

Last question. Could any Cloudflare WAF rules cause such timeouts? I guess it would be rather some kind of immediate reject or captcha rather then timeout right? I’ve enabled all WAF rules skip Today for that subdomain. Not sure if it can help. In events tab, I couldn’t see any affected request that could be from actual customer.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.