Cloudflare Docs
Cloudflare Zero Trust
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Client errors

This page lists the error codes that can appear in the WARP client GUI. If you do not see your error below, refer to common issues or contact Cloudflare Support.

Example of error message in WARP GUI

​​ CF_CAPTIVE_PORTAL_TIMED_OUT

​​ Symptoms

  • Unable to login to a captive portal network
  • No Internet connectivity

​​ Cause

Captive portal detection is turned on and one of the following issues occurred:

  • The user did not complete the captive portal login process within the time limit set by WARP.
  • The captive portal redirected the user to a flow that is not yet supported by the captive portal detection feature.

​​ Resolution

  1. Increase the captive portal timeout to allow users more time to login.
  2. If this does not resolve the issue, allow users to manually turn off WARP. We recommend setting an auto connect value so that the client turns itself back on after a few minutes.

​​ CF_CONNECTIVITY_FAILURE_UNKNOWN

​​ Symptoms

  • Unable to connect WARP
  • No Internet connectivity
  • User may be behind a captive portal

​​ Cause

The initial connectivity check failed for an unknown reason. Refer to Unable to connect WARP for the most common reasons why this error occurs.

​​ Resolution

  1. Retrieve WARP debug logs for the device.
  2. Follow the troubleshooting steps in Unable to connect WARP.

​​ CF_DNS_LOOKUP_FAILURE

​​ Symptoms

  • Unable to connect WARP
  • Unable to browse the Internet
  • nslookup and dig commands fail on the device

​​ Cause

WARP was unable to resolve hostnames via its local DNS proxy.

​​ Resolution

  1. Verify that the network the user is on has DNS connectivity.
  2. Verify that DNS resolution works when WARP is disabled.
  3. Ensure that no third-party tools are interfering with WARP for control of DNS.
  4. Ensure that no third-party tools are performing TLS decryption on traffic to the WARP IP addresses.

​​ CF_DNS_PROXY_FAILURE

​​ Symptoms

​​ Cause

A third-party process (usually a third-party DNS software) is bound to port 53, which is used by WARP’s local DNS proxy to perform DNS resolution. The name of third-party process will appear in the GUI error message.

On macOS, you may see mDNSResponder instead of the specific application name – mDNSResponder is a macOS system process that handles DNS requests on behalf of other processes. There is no known way to determine which process caused mDNSResponder to bind to port 53, but the most common culprits are virtual machine software (for example, Docker and VMware Workstation) and the macOS Internet Sharing feature.

​​ Resolution

  1. Remove or disable DNS interception in the third-party process.
mDNSResponder

Below is a non-exhaustive list of third-party software that are known to cause mDNSResponder to bind to port 53. Rather than try to stop mDNSResponder, you should either configure the third-party software so that they no longer use port 53, or temporarily disable them before connecting to WARP.

  • Docker: Turn off kernel networking for UDP in Docker.
  • Internet Sharing feature: To disable Internet Sharing:
    1. On macOS, go to System Settings > General > Sharing.
    2. Turn off Internet Sharing.
  • Certain VM software (such as VMware Workstation or Parallels): The presence of VM software does not guarantee that it is the offending program, since compatibility with WARP is highly dependent on the VM’s configuration. To work around the issue, connect to WARP before running any VMs:
    1. Stop/quit all VMs.
    2. Connect to WARP.
    3. Start the VMs again.
  1. Alternatively, switch WARP to Secure Web Gateway without DNS filtering mode.

​​ CF_FAILED_READ_SYSTEM_DNS_CONFIG

​​ Symptoms

  • Unable to connect WARP
  • Unable to browse the Internet

​​ Cause

WARP could not read the system DNS configuration, most likely because it contains an invalid nameserver or search domain.

​​ Resolution

On macOS and Linux, validate that /etc/resolv.conf is formatted correctly and check for invalid characters.

On Windows, validate that the registry entry HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList contains only valid search domains. Examples of invalid entries include IP addresses and domains that start with a period (such as .local).

​​ CF_FAILED_TO_SET_MTLS

​​ Symptoms

  • Unable to connect WARP

​​ Cause

The device failed to present a valid mTLS certificate during device enrollment.

​​ Resolution

  1. Ensure that there are no admin restrictions on certificate installation.
  2. Re-install the client certificate on the device.

​​ CF_HAPPY_EYEBALLS_FAILURE

​​ Symptoms

  • Unable to connect WARP

​​ Cause

A router, firewall, antivirus software, or other third-party security product is blocking UDP on the WARP ports.

​​ Resolution

  1. Configure the third-party security product to allow the WARP ingress IPs and ports.
  2. Ensure that your Internet router is working properly and try rebooting the router.

​​ CF_HOST_UNREACHABLE_CHECK

​​ Symptoms

  • Unable to connect WARP
  • No Internet connectivity
  • User may be behind a captive portal

​​ Cause

The connectivity check inside of the WARP tunnel has failed.

​​ Resolution

  1. Check for the presence of third-party HTTP filtering software (AV, DLP, or firewall) that could be intercepting traffic to the WARP IPs.
  2. In the third-party software, bypass inspection for all IP traffic going through WARP. To find out what traffic routes through the WARP tunnel, refer to Split Tunnels.

​​ CF_INSUFFICIENT_DISK

​​ Symptoms

  • Unable to connect WARP
  • OS warns that the disk is full

​​ Cause

The hard drive is full or has incorrect permissions for WARP to write data.

​​ Resolution

  1. Ensure that your device meets the HD space requirements for WARP.
  2. Check for disk permissions that may prevent WARP from using disk space.
  3. Empty trash or remove large files.

​​ CF_INSUFFICIENT_FILE_DESCRIPTORS

​​ Symptoms

  • Unable to connect WARP
  • Unable to open files on the device

​​ Cause

The device does not have sufficient file descriptors to create network sockets or open files.

​​ Resolution

Increase the file descriptor limit in your system settings.

​​ CF_INSUFFICIENT_MEMORY

​​ Symptoms

  • Unable to connect WARP
  • Device is very slow

​​ Cause

The device does not have enough memory to run WARP.

​​ Resolution

  1. Ensure that your device meets the minimum memory requirements for WARP.
  2. List all running processes to check memory usage.

​​ CF_LOCAL_POLICY_FILE_FAILED_TO_PARSE

​​ Symptoms

  • Unable to connect WARP

​​ Cause

The WARP client was deployed on the device using an invalid MDM configuration file.

​​ Resolution

  1. Review the managed deployment guide for your operating system.
  2. Locate the MDM configuration file on your device.
  3. Ensure that the file is formatted correctly and only contains accepted arguments.

​​ CF_NO_NETWORK

​​ Symptoms

  • Unable to connect WARP
  • No Internet connectivity

​​ Cause

The device is not connected to a Wi-Fi network or LAN that has connectivity to the Internet.

​​ Resolution

  1. Launch the network settings panel on your device.
  2. Ensure that you are connected to a valid network.
  3. Check that your device is retrieving a valid IP address.
  4. If this does not resolve the error, try rebooting your device or running your system’s network diagnostics tool.

​​ CF_REGISTRATION_MISSING

​​ Symptoms

  • Unable to connect WARP

​​ Cause

The device is not authenticated to a Zero Trust organization because:

  • The device was revoked in Zero Trust.
  • The registration was corrupted or deleted for an unknown reason.

​​ Resolution

  1. Launch the WARP client.
  2. Select the gear icon and go to Preferences > Account.
  3. Select Re-Authenticate Session.
  4. Complete the authentication steps required by your organization.
  5. If this does not resolve the error, select Logout from Cloudflare Zero Trust and then log back in. Logging out is only possible if Allow device to leave organization is enabled for your device.

​​ CF_TLS_INTERCEPTION_BLOCKING_DOH

​​ Symptoms

  • DNS requests fail to resolve when WARP is turned on.

​​ Cause

A third-party application or service is intercepting DNS over HTTPS traffic from WARP.

​​ Resolution

Configure the third-party application to exempt the WARP DoH IPs.

​​ CF_TLS_INTERCEPTION_CHECK

​​ Symptoms

  • Unable to connect WARP

​​ Cause

A third-party security product on the device or network is performing TLS decryption on HTTPS traffic. For more information, refer to the Troubleshooting guide.

​​ Resolution

In the third-party security product, disable HTTPS inspection and TLS decryption for the WARP IP addresses.