Mondoze Knowledge Base

Search our articles or browse by category below

Error 522: Connection timed out

Last modified: October 11, 2022
You are here:
Estimated reading time: 2 min

Error 522: Connection Timed Out

Overview

Error 522 indicates that Cloudflare is unable to reach the origin web server and the request times out. 

As a first step in troubleshooting Error 522:

  • Check that the origin web server is active and accepting HTTP requests.
  • Verify that the DNS settings in your Cloudflare account are correct.

Common Causes

Several conditions may cause Error 522 to appear. The most common causes include:

  • Overloaded web server
  • Blocked Cloudflare requests
  • Faulty network routing
  • Disabled keepalives

Other possible causes may also include:

  • Incorrect IP address in the Cloudflare DNS settings (i.e. the request from us was sent to the wrong place)
  • Offline origin web server
  • Dropped packets on the host network

Below, you will find additional information for the most common causes.

Overloaded origin web server

A server could be dropping requests as a result of an overload condition. What constitutes a high load can differ depending on the server’s hardware and software.

Generally, a load average of over 10-20 could mean that the server is overloaded. To check for this on Linux/Unix, you can run the w or top commands in the terminal window.

If you’re unable to verify web server load on your own, check with your host or a system administrator.

Blocked Cloudflare requests

Blocking Cloudflare requests is the most common cause of intermittent 522 errors.

When traffic flows through a Cloudflare-enabled website, the origin web server sees all requests as coming from a handful of Cloudflare IP addresses. This can often trigger firewalls and IP rate-limiters to block Cloudflare requests, thinking that the website is under attack. CPHulk (which comes with cPanel) and other services have been known to do this.

To avoid this situation, make sure that:

    • Cloudflare IPs are not being blocked in .htaccess, iptables, or your firewall.
    • Your hosting provider isn’t rate limiting or blocking requests from Cloudflare IPs. Ask the host to whitelist the Cloudflare IP addresses .

In addition, your host provider might wish to disable the rate limiter.

Faulty network routing

Faulty network routing between Cloudflare and the origin web server is more difficult to troubleshoot than the other causes. Before checking for this, first rule out the other potential causes.

If you believe network issues might be the cause, file a ticket with Cloudflare support. Useful information to provide in your ticket includes:

  • Details about what you have checked so far
  • An MTR or traceroute from your server to a Cloudflare IP address, preferably one of the IP addresses from which you have seen requests from Cloudflare in the past

Disabled keepalives

Cloudflare uses the Keep-Alive header to improve performance. Disabling it in the origin web server causes connections to fail and return a 522 error in some circumstances. This feature is enabled by default in most major web servers, so unless you’ve explicitly disabled it, this shouldn’t be an issue.


Understand how Error 522 is trigger

When someone visits a Cloudflare-enabled website, a connection is establish between Cloudflare and the website’s origin server. To establish a connection, TCP uses a three-way handshake.

  1. SYN: Cloudflare sends three SYN packets to the origin server.
  2. SYN+ACK: In response, the origin server replies with a SYN+ACK.
  3. ACK: Finally, Cloudflare sends an ACK back to the origin server.

At this point, both Cloudflare and the origin server have receive an acknowledgement of the connection, and communication is establish. If the origin server does not send a SYN+ACK back to Cloudflare within 15 seconds, a 522 error will occur and the connection is close.

This diagram illustrates a successful TCP handshake:

successful TCP handshake

 

The next diagrams shows that the SYN+ACK is not return from the origin web server within 15 seconds, triggering the Error 522 timeout:

522 Condition 1

 

Another condition for an Error 522 timeout occurs when the origin responds with a SYN+ACK and established a TCP connection, but never responds to the request with an ACK within 90 seconds (A 524 condition ACKs the request, but waits too long to send the response). Here is an illustration detailing this scenario:

522 Condition 2

 

Checking for these conditions with your server administrator or hosting provider is the best way to resolve these errors. If there is a network problem, a traceroute or MTR from the site origin is also useful.

If you continue to see 522 errors after ruling out the aforementioned possibilities and troubleshooting the issue, contact Cloudflare Support for further investigation.

Was this article helpful?
Dislike 0
Views: 1030