Worker is not available from certain providers in the US

Hello,

We received several support request that our service (CF worker) is not accessible. Once client switches to LTE everything works properly.

One client is getting ERR_CONNECTION_RESET error in his Chrome console, another one is getting ERR_SSL_PROTOCOL_ERROR. First one is from Maryland, United States and using Xfinity provider. THe second one is also from the US but not sure about his exact location and provider.

We never had such issues with our worker before. We have custom domain added to the worker, SSL certificate is provided by Cloudflare as well. Also app is used by thousands of customers with no issues, so looks like some local issue related to particular location/provider. Is there any way to fix that problem?

Hi there,

ERR_CONNECTION_RESET means your customer can’t connect to the address at all and ERR_SSL_PROTOCOL_ERROR means the browser failed to establish a secured connection to the website.

Both of these might be symptoms of their connection being DNS hijacked and on the 1st error it does not resolve anywhere, but on the second it resolves to somewhere that does not match the original URL.
This type of DNS redirection is often used by companies to prevent workers from reaching unwanted websites or by ISP operators to filter unwanted content for instance.
In any case if this is what’s happening, there’s nothing Cloudflare can do to avoid it. At most, you can advise your customers to install WARP or contact the specific ISP to inquire why your website is being blocked.

Take care.

Hey, thank you for explanation! Could it be something related to domain name itself? I.e. changing the domain name or adding alternative domain to the worker could help in that situation?

Strange enough that we’ve received the list of visitors who were unable to access our service, and mostly they are using Comcast or Xfinitiy, but they are even in different states: VA, TN, PA. While other customers from VA are ok (different provider)

Hello,

I’ve asked a question earlier about worker is not being available from certain providers in the US: Worker is not available from certain providers in the US - #5 by denis.shchotkin

According to @mcorreia response, that was some DNS redirection/blocking by ISP.

After further investigation we found out that *.workers.dev domain is working perfectly for the same customers, but our custom domain - not. Does that mean that our domain was just banned by Comcast in certain regions (sounds really weird as we only have one small app on that domain). Or there could be some DNS issues on our end?

Our domain is on Cloudflare as well and we don’t have any other records except on pointing the domain to the worker (root domain). Probably I need to add some other records? Probably having one single record (I see it as Worker, but I guess it’s CNAME record) looks suspicious for ISP?

Thanks,
Den

What’s the domain?

easysearchapp.dev

I can’t find anything wrong – it’s resolving correctly everywhere I look, including the Comcast/Xfinify nameservers. And it works (returns an “Ok”) from inside Comcast’s network on the US east coast. I don’t see you on any blacklists or anything like that.

So the problem may be more localized than that. Perhaps the clients’ internal networks?

Thanks for checking! I thought about that but we received several reports from different clients, some of them were on the mobile, others on laptops…

I’m experiencing the same issue through PicPerf.dev. The vast majority of visitors can get through just fine, but some have issues. It’s very frustrating.

@alex77 thanks for the feedback. We’re still having those issues. Most common is NET:ERR_CERT_COMMON_NAME_INVALID error. I’ve already tried to change certificate provider to Google Trust Services, enabled Total TLS - nothing helped, issue is still happening. Actually all the complains are from Windows users, no reports from Mac or mobile devices…

I’m talking to someone who’s getting a consistent ERR_CONNECTION_RESET - also on a Windows machine. He’s using Comcast Business for service.

I was hopeful that moving from Worker routes to a custom Worker domain would resolve the issue, but that hasn’t seemed to help either.

Update on my issue: as it turns out, it was very likely a .dev domain problem, perhaps caused by either outdated firewall rules, or the fact that users may have once used a .dev domain for local development years ago on their current machine. That would explain why it was only a problem on select devices, and all of the people who reported the problem were in the software engineering space. Moving over to a different TLD (picperf.io) solved it forme.

I wrote up more details on the troubleshooting process here: For Maximum Accessibility, Be Careful About Using a .dev Domain | Alex MacArthur

Hey Alex, thanks for sharing the details, makes total sense! We’re also having issues with .dev domain, while we have several other workers on other domains and never had any similar complaints about those services.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.