Skip to content

Client errors

This page lists the error codes that can appear in the WARP client GUI. If you do not see your error below, refer to common issues or contact Cloudflare Support.

Example of error message in WARP GUI

CF_CAPTIVE_PORTAL_TIMED_OUT

Symptoms

  • Unable to login to a captive portal network
  • No Internet connectivity

Cause

Captive portal detection is turned on and one of the following issues occurred:

  • The user did not complete the captive portal login process within the time limit set by WARP.
  • The captive portal redirected the user to a flow that is not yet supported by the captive portal detection feature.

Resolution

  1. Increase the captive portal timeout to allow users more time to login.
  2. If this does not resolve the issue, allow users to manually turn off WARP. We recommend setting an auto connect value so that the client turns itself back on after a few minutes.

CF_CONNECTIVITY_FAILURE_UNKNOWN

Symptoms

  • Unable to connect WARP
  • No Internet connectivity
  • User may be behind a captive portal

Cause

The initial connectivity check failed for an unknown reason. Refer to Unable to connect WARP for the most common reasons why this error occurs.

Resolution

  1. Retrieve WARP debug logs for the device.
  2. Follow the troubleshooting steps in Unable to connect WARP.

CF_DNS_LOOKUP_FAILURE

Symptoms

  • Unable to connect WARP
  • Unable to browse the Internet
  • nslookup and dig commands fail on the device

Cause

WARP was unable to resolve hostnames via its local DNS proxy.

Resolution

  1. Verify that the network the user is on has DNS connectivity.
  2. Verify that DNS resolution works when WARP is disabled.
  3. Ensure that no third-party tools are interfering with WARP for control of DNS.
  4. Ensure that no third-party tools are performing TLS decryption on traffic to the WARP IP addresses.

CF_DNS_PROXY_FAILURE

Symptoms

Cause

A third-party process (usually a third-party DNS software) is bound to port 53, which is used by WARP's local DNS proxy to perform DNS resolution. The name of third-party process will appear in the GUI error message.

On macOS, you may see mDNSResponder instead of the specific application name -- mDNSResponder is a macOS system process that handles DNS requests on behalf of other processes. There is no known way to determine which process caused mDNSResponder to bind to port 53, but the most common culprits are virtual machine software (for example, Docker and VMware Workstation) and the macOS Internet Sharing feature.

Resolution

  1. Remove or disable DNS interception in the third-party process.

mDNSResponder

Below is a non-exhaustive list of third-party software that are known to cause mDNSResponder to bind to port 53. Rather than try to stop mDNSResponder, you should either configure the third-party software so that they no longer use port 53, or temporarily disable them before connecting to WARP.

  • Docker: Turn off kernel networking for UDP in Docker.
  • Internet Sharing feature: To disable Internet Sharing:
    1. On macOS, go to System Settings > General > Sharing.
    2. Turn off Internet Sharing.
  • Certain VM software (such as VMware Workstation or Parallels): The presence of VM software does not guarantee that it is the offending program, since compatibility with WARP is highly dependent on the VM's configuration. To work around the issue, connect to WARP before running any VMs:
    1. Stop/quit all VMs.
    2. Connect to WARP.
    3. Start the VMs again.
  1. Alternatively, switch WARP to Secure Web Gateway without DNS filtering mode.

CF_FAILED_READ_SYSTEM_DNS_CONFIG

Symptoms

  • Unable to connect WARP
  • Unable to browse the Internet

Cause

WARP could not read the system DNS configuration, most likely because it contains an invalid nameserver or search domain.

Resolution

On macOS and Linux, validate that /etc/resolv.conf is formatted correctly and check for invalid characters.

On Windows, validate that the registry entry HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList contains only valid search domains. Examples of invalid entries include IP addresses and domains that start with a period (such as .local).

CF_FAILED_TO_SET_MTLS

Symptoms

  • Unable to connect WARP

Cause

The device failed to present a valid mTLS certificate during device enrollment.

Resolution

  1. Ensure that there are no admin restrictions on certificate installation.
  2. Re-install the client certificate on the device.

CF_HAPPY_EYEBALLS_MITM_FAILURE

Symptoms

  • Unable to connect WARP

Cause

A router, firewall, antivirus software, or other third-party security product is blocking UDP on the WARP ports.

Resolution

  1. Configure the third-party security product to allow the WARP ingress IPs and ports.
  2. Ensure that your Internet router is working properly and try rebooting the router.
  3. Check that the device is not revoked by going to My team > Devices.

CF_HOST_UNREACHABLE_CHECK

Symptoms

  • Unable to connect WARP
  • No Internet connectivity
  • User may be behind a captive portal

Cause

The connectivity check inside of the WARP tunnel has failed.

Resolution

  1. Check for the presence of third-party HTTP filtering software (AV, DLP, or firewall) that could be intercepting traffic to the WARP IPs.
  2. In the third-party software, bypass inspection for all IP traffic going through WARP. To find out what traffic routes through the WARP tunnel, refer to Split Tunnels.

CF_INSUFFICIENT_DISK

Symptoms

  • Unable to connect WARP
  • OS warns that the disk is full

Cause

The hard drive is full or has incorrect permissions for WARP to write data.

Resolution

  1. Ensure that your device meets the HD space requirements for WARP.
  2. Check for disk permissions that may prevent WARP from using disk space.
  3. Empty trash or remove large files.

CF_INSUFFICIENT_FILE_DESCRIPTORS

Symptoms

  • Unable to connect WARP
  • Unable to open files on the device

Cause

The device does not have sufficient file descriptors to create network sockets or open files.

Resolution

Increase the file descriptor limit in your system settings.

CF_INSUFFICIENT_MEMORY

Symptoms

  • Unable to connect WARP
  • Device is very slow

Cause

The device does not have enough memory to run WARP.

Resolution

  1. Ensure that your device meets the minimum memory requirements for WARP.
  2. List all running processes to check memory usage.

CF_LOCAL_POLICY_FILE_FAILED_TO_PARSE

Symptoms

  • Unable to connect WARP

Cause

The WARP client was deployed on the device using an invalid MDM configuration file.

Resolution

  1. Review the managed deployment guide for your operating system.
  2. Locate the MDM configuration file on your device.
  3. Ensure that the file is formatted correctly and only contains accepted arguments.

CF_NO_NETWORK

Symptoms

  • Unable to connect WARP
  • No Internet connectivity

Cause

The device is not connected to a Wi-Fi network or LAN that has connectivity to the Internet.

Resolution

  1. Launch the network settings panel on your device.
  2. Ensure that you are connected to a valid network.
  3. Check that your device is retrieving a valid IP address.
  4. If this does not resolve the error, try rebooting your device or running your system's network diagnostics tool.

CF_REGISTRATION_MISSING

Symptoms

  • Unable to connect WARP

Cause

The device is not authenticated to a Zero Trust organization because:

  • The device was revoked in Zero Trust.
  • The registration was corrupted or deleted for an unknown reason.

Resolution

  1. Launch the WARP client.
  2. Select the gear icon and go to Preferences > Account.
  3. Select Re-Authenticate Session.
  4. Complete the authentication steps required by your organization.
  5. If this does not resolve the error, select Logout from Cloudflare Zero Trust and then log back in. Logging out is only possible if Allow device to leave organization is enabled for your device.

CF_TLS_INTERCEPTION_BLOCKING_DOH

Symptoms

  • DNS requests fail to resolve when WARP is turned on.

Cause

A third-party application or service is intercepting DNS over HTTPS traffic from WARP.

Resolution

Configure the third-party application to exempt the WARP DoH IPs.

CF_TLS_INTERCEPTION_CHECK

Symptoms

  • Unable to connect WARP

Cause

A third-party security product on the device or network is performing TLS decryption on HTTPS traffic. For more information, refer to the Troubleshooting guide.

Resolution

In the third-party security product, disable HTTPS inspection and TLS decryption for the WARP IP addresses.