Cloudflare Error 523: Origin Is Unreachable

Cloudflare cannot reach your origin server - routing fails.

The Cloudflare 523 "Origin Is Unreachable" error indicates that Cloudflare cannot establish a network route to your origin server. Unlike errors 521 (connection refused) and 522 (timeout), 523 signals a more fundamental connectivity problem: your server is simply not findable on the network.

This error can have several origins: misconfigured DNS in Cloudflare, an incorrect origin IP, a datacenter outage hosting your server, or BGP routing problems affecting the connection between Cloudflare and your infrastructure. Diagnosis requires checking each link in the chain.

In this detailed guide, we explore the technical causes of 523, diagnostic tools to identify the exact source of the problem, and solutions adapted to each scenario. External monitoring like MoniTao can detect these problems immediately, whether the cause is on Cloudflare's side, network, or server.

Main causes of error 523

Error 523 occurs when Cloudflare cannot route packets to your server. Here are the most common causes:

  • Incorrect DNS configuration: The A or AAAA record in Cloudflare points to an incorrect, outdated, or non-existent IP. This is the most frequent cause after a server migration.
  • Origin server offline: Your server is completely stopped, not just the web service. This can be due to maintenance, a system crash, or hardware failure.
  • Datacenter or host outage: An outage affecting the datacenter where your server is located makes the IP completely inaccessible. Check your host's status page.
  • BGP routing issues: BGP peering problems between Cloudflare and your host's network can make your server temporarily unreachable from certain Cloudflare datacenters.

How to diagnose error 523

Diagnosing 523 requires checking the complete connectivity chain:

  • Check Cloudflare DNS configuration: In the Cloudflare dashboard → DNS, verify that the A record points to the correct IP. Compare with your server's actual IP obtained from your hosting panel.
  • Test IP accessibility: From an external terminal (not your server), perform a ping and traceroute to the origin IP. If ping fails, the problem is server-side or network.
  • Check server status: Log into your host's console to verify the server is started. Also check your host's status page for ongoing outages.
  • Analyze Cloudflare Ray ID: The Ray ID on the error page identifies the Cloudflare datacenter involved. If the problem is intermittent, it may be related to a specific datacenter with peering issues.

Solutions to fix error 523

Solutions depend on the identified cause:

  • Fix IP in Cloudflare: If the IP is incorrect, update the A record in Cloudflare → DNS. Propagation is immediate because Cloudflare manages its own DNS.
  • Restart the server: From your host's console (not SSH which may be inaccessible), perform a hard restart of the server. Then verify it responds to ping.
  • Contact host: If the status page indicates an outage or your server remains inaccessible, open a priority support ticket. Provide the IP and your test results.
  • Configure backup IP: If you have redundant infrastructure, add an additional A record pointing to a backup server, or use Cloudflare Load Balancing to automatically failover.

Network diagnostic script

This bash script tests connectivity to your origin server from different points:

#!/bin/bash
# Cloudflare 523 Diagnostic - Network connectivity

ORIGIN_IP="your.server.ip"

echo "=== Cloudflare DNS check ==="
dig +short @1.1.1.1 your-domain.com A

echo -e "\n=== Ping test to origin ==="
ping -c 4 $ORIGIN_IP

echo -e "\n=== Traceroute to origin ==="
traceroute -m 15 $ORIGIN_IP

echo -e "\n=== Port 80/443 test ==="
nc -zv $ORIGIN_IP 80 2>&1
nc -zv $ORIGIN_IP 443 2>&1

echo -e "\n=== Direct HTTP test ==="
curl -sI --connect-timeout 10 http://$ORIGIN_IP | head -3

This script tests DNS resolution, network connectivity via ping and traceroute, and web port accessibility. Run it from an external machine (not your server) to simulate what Cloudflare sees.

Preventing 523 errors

Implement these measures to avoid 523 errors:

  • External monitoring: Use MoniTao to monitor your site through Cloudflare. Immediate alerting on 523 errors allows you to intervene before the impact becomes too significant.
  • Document IPs: Maintain up-to-date documentation of your server IPs. After each migration, immediately verify Cloudflare DNS records.
  • Redundant infrastructure: Use multiple servers with Cloudflare Load Balancing to automatically failover if a server becomes unreachable.
  • Host alerts: Subscribe to your host's status notifications to be alerted of scheduled maintenance and ongoing outages.

523 verification checklist

  • Origin IP correct and current in Cloudflare DNS
  • Server accessible via ping from outside
  • Ports 80 and 443 open on origin IP
  • No outage announced by host
  • Complete traceroute to server
  • External monitoring in place

Frequently asked questions about error 523

How to check which IP is configured in Cloudflare?

Log into the Cloudflare dashboard, go to DNS, and check your domain's A record. Compare this IP with your actual server IP shown in your hosting panel.

Can 523 be caused by Cloudflare itself?

Rarely. BGP peering issues between Cloudflare and certain networks can cause intermittent 523s from specific datacenters. Check cloudflarestatus.com and the error's Ray ID.

How to test direct access without going through Cloudflare?

Modify your local hosts file to point your domain to the origin IP: "1.2.3.4 mydomain.com". This bypasses Cloudflare for your tests only.

My server responds to ping but I still get 523. Why?

Ping works (ICMP) but web ports may be closed or filtered. Specifically test ports 80 and 443 with telnet or nc: "nc -zv IP 443".

How long for Cloudflare DNS changes to take effect?

DNS changes in Cloudflare are generally instant because Cloudflare manages its own authoritative DNS servers. If you just changed the IP, the 523 should disappear within seconds.

How to differentiate a 523 from 521 or 522?

521 indicates the server actively refuses the connection. 522 indicates a timeout after connection established. 523 indicates the IP is completely unreachable - no network route. It's the most "severe" of the three.

Conclusion

Cloudflare error 523 signals a fundamental connectivity problem between Cloudflare and your server. Unlike errors 521 and 522 which indicate the server is reachable but refuses or times out, 523 means your server is simply not findable on the network.

Diagnosis involves checking Cloudflare DNS configuration, server status, and network connectivity. External monitoring with MoniTao immediately detects these problems, allowing you to respond quickly whether the cause is a wrong IP, server outage, or routing issue.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing