Unable to access some web sites protected by cloudflare

Dear community,
We are an ISP from Chile and some users drive me crazy because they can not access some websites protected by Cloudflare. It seems that it is blocking our public IP address, some segments work, others do not.
Many users belong to 201.218.128.0/19. Can you review this problem?
Websites:
www.bci.cl
www.es.99desigs.com/
www.amiami.com
www.leagueofleguend.com/

As Community members, we can not review this. You would have to contact the owners of those websites to lift the restrictions.

Can you post a screenshot of the block?

Hi ,
A already made some test with a customer, and captured some info with curl:
Faulty access:
C:\Users\Teruca>curl -v https://www.bci.cl

  • Rebuilt URL to: https://www.bci.cl/
  • Trying 104.16.13.14…
  • TCP_NODELAY set
  • Connected to www.bci.cl (104.16.13.14) port 443 (#0)
  • schannel: SSL/TLS connection with www.bci.cl port 443 (step 1/3)
  • schannel: checking server certificate revocation
  • schannel: sending initial handshake data: sending 175 bytes…
  • schannel: sent initial handshake data: sent 175 bytes
  • schannel: SSL/TLS connection with www.bci.cl port 443 (step 2/3)
  • schannel: failed to receive handshake, need more data
  • schannel: SSL/TLS connection with www.bci.cl port 443 (step 2/3)
  • schannel: failed to receive handshake, SSL/TLS connection failed
  • Closing connection 0
  • schannel: shutting down SSL/TLS connection with www.bci.cl port 443
  • Send failure: Connection was reset
  • schannel: failed to send close msg: Failed sending data to the peer (bytes written: -1)
  • schannel: clear security context handle
    curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

C:\Users\Teruca>


From my PC is OK:
C:\Users\Optic CX>curl -v https://www.bci.cl

  • Rebuilt URL to: https://www.bci.cl/
  • Trying 104.16.13.14…
  • TCP_NODELAY set
  • Connected to www.bci.cl (104.16.13.14) port 443 (#0)
  • schannel: SSL/TLS connection with www.bci.cl port 443 (step 1/3)
  • schannel: checking server certificate revocation
  • schannel: sending initial handshake data: sending 175 bytes…
  • schannel: sent initial handshake data: sent 175 bytes
  • schannel: SSL/TLS connection with www.bci.cl port 443 (step 2/3)
  • schannel: failed to receive handshake, need more data
  • schannel: SSL/TLS connection with www.bci.cl port 443 (step 2/3)
  • schannel: encrypted data got 3257
  • schannel: encrypted data buffer: offset 3257 length 4096
  • schannel: sending next handshake data: sending 93 bytes…
  • schannel: SSL/TLS connection with www.bci.cl port 443 (step 2/3)
  • schannel: encrypted data got 258
  • schannel: encrypted data buffer: offset 258 length 4096
  • schannel: SSL/TLS handshake complete
  • schannel: SSL/TLS connection with www.bci.cl port 443 (step 3/3)
  • schannel: stored credential handle in session cache

GET / HTTP/1.1
Host: www.bci.cl
User-Agent: curl/7.55.1
Accept: /

  • schannel: client wants to read 102400 bytes
  • schannel: encdata_buffer resized 103424
  • schannel: encrypted data buffer: offset 0 length 103424
  • schannel: encrypted data got 1965
  • schannel: encrypted data buffer: offset 1965 length 103424
  • schannel: decrypted data length: 1369
  • schannel: decrypted data added: 1369
  • schannel: decrypted data cached: offset 1369 length 102400
  • schannel: encrypted data length: 567
  • schannel: encrypted data cached: offset 567 length 103424
  • schannel: decrypted data length: 504
  • schannel: decrypted data added: 504
  • schannel: decrypted data cached: offset 1873 length 102400
  • schannel: encrypted data length: 34
  • schannel: encrypted data cached: offset 34 length 103424
  • schannel: decrypted data length: 5
  • schannel: decrypted data added: 5
  • schannel: decrypted data cached: offset 1878 length 102400
  • schannel: encrypted data buffer: offset 0 length 103424
  • schannel: decrypted data buffer: offset 1878 length 102400
  • schannel: schannel_recv cleanup
  • schannel: decrypted data returned 1878
  • schannel: decrypted data buffer: offset 0 length 102400
    < HTTP/1.1 200 OK

This looks different from the usual block from Cloudflare. If Cloudflare is blocking, the connection will succeed, but will receive a 4xx response code. This is an SSL/TLS failure, which is unusual.

Can you try a traceroute to www.bci.cl from that customer as well as yourself?

thank you. here is the trace:
C:\Users\Teruca>tracert www.bci.cl

Traza a la dirección www.bci.cl.cdn.Cloudflare.net [104.16.13.14]
sobre un máximo de 30 saltos:

1 1 ms <1 ms 1 ms 192.168.20.1
2 3 ms 1 ms 1 ms 201.218.140.1
3 * * * Tiempo de espera agotado para esta solicitud.
4 * * * Tiempo de espera agotado para esta solicitud.
5 * * * Tiempo de espera agotado para esta solicitud.
6 * * * Tiempo de espera agotado para esta solicitud.
7 2 ms 2 ms 1 ms 10.74.74.1
8 2 ms 4 ms 2 ms 190.208.1.81
9 6 ms 4 ms 36 ms gw-terra.pit.ip.telmexchile.cl [200.27.101.90]
10 2 ms 3 ms 2 ms 10.200.247.197
11 4 ms 6 ms 3 ms Cloudflare.scl.pitchile.cl [200.23.206.227]
12 * 4 ms 9 ms 104.16.13.14

Traza completa.

I’m going to tag @cloonan on this since you’re probably not a Cloudflare customer and Support might be able to figure this out.

Sorry, forgot my own cmputer (where it’s works):
C:\Users\Optic CX>tracert www.bci.cl

Traza a la dirección www.bci.cl.cdn.Cloudflare.net [104.16.13.14]
sobre un máximo de 30 saltos:

1 248 ms 255 ms 248 ms 226.247.113.190.fiber.optic.cl [190.113.247.226]
2 250 ms 250 ms 268 ms 225.247.113.190.fiber.optic.cl [190.113.247.225]
3 253 ms 251 ms 252 ms 10.30.1.21
4 255 ms * 249 ms 10.0.77.9
5 336 ms 329 ms 327 ms ENTEL.scl.pitchile.cl [200.23.206.198]
6 248 ms 262 ms 246 ms 200.10.224.102
7 253 ms 247 ms 252 ms 10.200.247.69
8 246 ms 248 ms 257 ms tiws.vl100.nacional.ce.ppal.nap.movistar.cl [186.148.16.58]
9 * * * Tiempo de espera agotado para esta solicitud.
10 * * * Tiempo de espera agotado para esta solicitud.
11 268 ms * 258 ms 216.184.113.21
12 276 ms 254 ms 290 ms 104.16.13.14

Traza completa.

C:\Users\Optic CX>

1 Like

Hi @jose.gonzalez, yes, please do contact support, you’ll need to select your domain for the ticket, otherwise you’ll get a note from support saying they cannot assist you on zones that are not yours. Ultimately, you may end up with a similar reply, but I’m curious as to what’s going on. Once you contact support, can you share the ticket number here? I’d like to follow this one.

Some of the zones have some Cloudflare history, some not. Here are current name servers for the domains you listed:

$ dig ns leagueofleguend.com +short (typo in name?)

$ dig ns leagueoflegend.com +short
ns1.parklogic.com.
ns2.parklogic.com.
ns3.parklogic.com.
ns4.parklogic.com.
ns5.parklogic.com.

$ dig ns amiami.com +short
ipms.ivp.ne.jp.
ipms2.ivp.ne.jp.
ipms5.ivp.ne.jp.

$ dig ns es.99desigs.com +short
sk.s5.ans1.ns148.ztomy.com.
sk.s5.ans2.ns148.ztomy.com.

$ dig ns bci.cl +short
dns2.bci.cl.
dns.bci.cl.

$ dig ns getbootstrap.com +short
iris.ns.Cloudflare.com.
tom.ns.Cloudflare.com.

Thanks for your help, Cloonan, but I’m confused. I do not have a domain, I am an ISP that has some problems with those domains, because my clients can not access and they blame me for it. How do I open a ticket in this scenario?

Yes, understood, sorry. You can email support AT Cloudflare DOT com, but suspect you’ll ultimately will not be able to affect who the sites allow or don’t allow, it’s not a switch support controls. Especially if they are not currently using Cloudflare.

This topic was automatically closed after 14 days. New replies are no longer allowed.