Question 1

What does Cloudflare error 522 mean?

Accepted Answer

Error 522 occurs when Cloudflare cannot establish a TCP connection to the origin server within the timeout window (typically 15 seconds). Unlike 521 where the connection is refused immediately, 522 means the SYN packets are being sent but no SYN-ACK comes back. The origin is either unreachable, overloaded, or a network device between Cloudflare and the origin is dropping packets. This is one of the most common Cloudflare errors and almost always indicates an origin-side or network-side problem.

Question 2

What causes Cloudflare error 522?

Accepted Answer

Origin server is overloaded: The server's CPU, memory, or connection limits are exhausted, so it cannot accept new TCP connections. This is common during traffic spikes or resource-intensive operations.

Firewall is silently dropping packets: A firewall (iptables, security group, hardware firewall) is dropping SYN packets from Cloudflare rather than rejecting them, causing a timeout instead of a refused connection.

Incorrect origin IP in Cloudflare DNS: The A record in Cloudflare points to an IP address that does not belong to your server, or the server has been migrated to a new IP without updating the DNS.

Network routing issue between Cloudflare and origin: BGP routing problems, ISP outages, or DDoS mitigation by the hosting provider can prevent Cloudflare from reaching the origin even though the server is online.

Question 3

How do I fix Cloudflare error 522?

Accepted Answer

Step 1: Verify DNS points to the correct origin IP — Check that your A/AAAA records in Cloudflare resolve to your actual origin server IP. A common cause is stale DNS after a server migration.

Step 2: Check if ports 80/443 are reachable on the origin — Use a port scanner to test whether the origin server accepts TCP connections on the expected ports from the internet.

Step 3: Check server resource usage — SSH into your server and check CPU, memory, and connection counts. An overloaded server drops new connections.

Step 4: Verify Cloudflare IPs are not being rate-limited — Check if fail2ban, DDoS protection, or hosting-level firewalls are blocking or rate-limiting Cloudflare IP addresses.

Step 5: Test with increased keepalive timeout — Ensure your web server's keepalive timeout is at least 300 seconds. Cloudflare reuses connections, so short timeouts cause premature disconnects.

Cloudflare Error 522: Connection Timed Out

Common Causes

Origin server is overloaded

Firewall is silently dropping packets

Incorrect origin IP in Cloudflare DNS

Network routing issue between Cloudflare and origin

How to Fix It

Verify DNS points to the correct origin IP

Check if ports 80/443 are reachable on the origin

Check server resource usage

Verify Cloudflare IPs are not being rate-limited

Test with increased keepalive timeout

Quick Diagnostics

Related Error Codes

Web Server Is Down

A Timeout Occurred

Origin Is Unreachable

Frequently Asked Questions