Troubleshooting
I tried to register the WARP client with my Zero Trust domain but received the following error messages: Authentication Expired and Registration error. Please try again later.
When a user logs into an organization, WARP will open a web page so the user can sign in via Cloudflare Access. Access then generates a JSON Web Token (JWT) that is passed from the web page to the WARP client to authenticate the device. This JWT has a timestamp indicating the exact time it was created, as well as a timestamp indicating it will expire 50 seconds into the future.
This error message means that when the JWT is finally passed to the WARP client, it has already expired. One of two things can be happening:
- 
(Most likely): Your computer system clock is not properly synced using Network Time Protocol (NTP). Visit https://time.is ↗ on the affected machine to validate your clock is properly synchronized within 20 seconds of the actual time. 
- 
You are waiting more than one minute to open Cloudflare WARP from the time Cloudflare Access prompts you. Open the WARP client as soon as you get the prompt. 
If you believe a domain has been incorrectly blocked, you can use this form ↗ to get the URL reviewed.
Cloudflare Access requires that the credentials: same-origin parameter be added to JavaScript when using the Fetch API (to include cookies). AJAX requests fail without this parameter present. For more information, refer to our documentation about CORS settings.
Advanced security features including HTTPS traffic inspection require users to install and trust the Cloudflare root certificate on their machine or device. If you are installing certificates manually on all of your devices, these steps will need to be performed on each new device that is to be subject to HTTP Filtering. To install the Cloudflare root certificate, follow this guide.
Gateway presents an HTTP Response Code: 526 error page in the following cases:
- 
An untrusted certificate is presented from the origin to Gateway. Gateway will consider a certificate is untrusted if any of these conditions are true: - The server certificate issuer is unknown or is not trusted by the service.
- The server certificate is revoked and fails a CRL check.
- There is at least one expired certificate in the certificate chain for the server certificate.
- The common name on the certificate does not match the URL you are trying to reach.
- The common name on the certificate contains invalid characters (such as underscores). Gateway uses BoringSSL ↗ to validate certificates. Chrome's validation logic ↗ allows non-RFC 1305 compliant certificates, which is why the website may load when you turn off WARP.
 
- 
The connection from Gateway to the origin is insecure. Gateway does not trust origins which: - Only offer insecure cipher suites (such as RC4, RC4-MD5, or 3DES). You can use the SSL Server Test tool ↗ to check which ciphers are supported by the origin.
- Do not support FIPS-compliant ciphers (if you have enabled FIPS compliance mode). In order to load the page, you can either disable FIPS mode or create a Do Not Inspect policy for this host (which has the effect of disabling FIPS compliance for this origin).
- Redirect all HTTPS requests to HTTP.
 
If none of the above scenarios apply, contact Cloudflare support with the following information:
- Operating System (Windows 10, macOS 10.x, iOS 14.x)
- Web browser (Chrome, Firefox, Safari, Edge)
- URL of the request
- Screenshot or copy/paste of the content from the error page
For more troubleshooting information, refer to Support.

You may not see analytics on the Overview page for the following reasons:
- You are not sending DNS queries to Gateway. Verify that the destination IP addresses you are sending DNS queries to are correct. You can check the destination IP addresses for your DNS location by going to Gateway > DNS locations and then expanding the location.
- You are using other DNS resolvers. If you have other DNS resolvers in your DNS settings, your device could be using IP addresses for resolvers that are not part of Gateway. Make sure to remove all other IP addresses from your DNS settings and only include Gateway's DNS resolver IP addresses.
- The source IPv4 address for your DNS location is incorrect. If you are using IPv4, check the source IPv4 address that you entered for the DNS location matches with the network's source IPv4 address.
- Analytics is not available yet. It takes some time to generate the analytics for Cloudflare Gateway. If you are not seeing anything even after 5 minutes, file a support ticket.
If you encounter this error, file feedback via the WARP client and we will investigate.
This can occur if your device is attempting to establish a connection to more than two remote browser instances. A browser isolation session is a connection from your local browser to a remote browser. Tabs and windows within the same browser share a single remote browser session. In practice, this generally means that you can open both Chrome and Firefox to use browser isolation concurrently, but attempting to open a third browser such as Opera will cause this alert to appear. To release a browser session, close all tabs/windows in your local browser. The remote browser session will be automatically terminated within 15 minutes.
I see SAML Verify: Invalid SAML response, SAML Verify: No certificate selected to verify when testing a SAML identity provider.
This error occurs when the identity provider has not included the signing public key in the SAML response. While not required by the SAML 2.0 specification, Cloudflare Access always checks that the public key provided matches the Signing certificate uploaded to Zero Trust. For the integration to work, you will need to configure your identity provider to add the public key.
I see Error 0: Bad Request. Please create a ca for application. when attempting to connect to SSH with a short-lived certificate.
This error will appear if a certificate has not been generated for the Access application users are attempting to connect to. For more information on how to generate a certificate for the application on the Access Service Auth SSH page, refer to these instructions.
Mobile applications warn of an invalid certificate, even though I installed a Cloudflare certificate on my system.
These mobile applications may use certificate pinning Cloudflare Gateway dynamically generates a certificate for all encrypted connections in order to inspect the content of HTTP traffic. This certificate will not match the expected certificate by applications that use certificate pinning. To allow these applications to function normally, administrators can configure bypass rules to exempt traffic to hosts associated with the application from being intercepted and inspected.
If you see this warning, you may have to disable DNS over HTTPS setting in Firefox. If you need help doing that, see these instructions ↗.
Advanced security features including HTTPS traffic inspection require you to deploy a root certificate on the device. If Install CA to system certificate store is enabled, the WARP client will automatically install a new root certificate whenever you install or update WARP.
Certain web browsers (such as Chrome and Microsoft Edge) load and cache root certificates when they start. Therefore, if you install a root certificate while the browser is already running, the browser may not detect the new certificate. To resolve the error, restart the browser.
This error appears if you try to change your team domain while the Cloudflare dashboard SSO feature is enabled on your account. Cloudflare dashboard SSO does not currently support team domain changes. Contact your account team for more details.
This error means that the systemd-resolved service on Linux is not allowing WARP to resolve DNS requests. You can identify this issue in the daemon.log file of the warp diag logs, where the error message appears as ERROR main_loop: warp::warp::connectivity_check: DNS connectivity check failed to resolve host="warp-svc.".
To solve the issue:
- Add the following line to /etc/systemd/resolved.conf:
ResolveUnicastSingleLabel=yes- 
Make sure that no other DNS servers are configured in /etc/systemd/resolved.conf. For example, if the file containsDNS=X.Y.Z.Q, comment out the line.
- 
Restart the service: 
sudo systemctl restart systemd-resolved.serviceNCSI ↗ is a Windows feature for determining network quality and connectivity. When WARP is enabled, NCSI checks can sometimes fail and cause a cosmetic UI error where the user believes they have no Internet even though the device still has full connectivity. Some apps (Outlook, JumpCloud) may refuse to connect because Windows is reporting there is no Internet connectivity.
To resolve the issue, you will need to edit two Windows registry keys:
- 
Configure NCSI to detect WARP's local DNS proxy. HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\MICROSOFT\Windows\NetworkConnectivityStatusIndicatorType: DWORDValue: UseGlobalDNSData: 1
- 
Configure NCSI to use active probing mode, as WARP may be obscuring the number of hops expected by the passive probe ↗. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\InternetType: DWORDValue: EnableActiveProbingData: 1
If you continue to have issues with Microsoft 365 applications, consider enabling Directly route Microsoft 365 traffic.
Cloudflare Browser Isolation leverages Network Vector Rendering (NVR) technology. This allows us to deliver a secure, performant remote computing experience without the bandwidth limitations of traditional solutions. While we expect most websites to work perfectly, some browser features and web technologies such as WebGL (Web Graphics Library) are unsupported.
WebGL is a JavaScript API for rendering high-performance interactive 2D and 3D graphics within any compatible web browser without the use of plug-ins. Support for WebGL is present in all modern browsers. However, the user's device must also have access to the underlying hardware ↗ that supports these features.
When running remote browser isolation in a virtualized environment, the user's device may not have access to the required system resources. To resolve the error, you can configure your browser to render vector graphics entirely through software, without using the hardware acceleration provided by a GPU.
To enable software rasterization:
- Go to chrome://flags/#override-software-rendering-list.
- Set Override software rendering list to Enabled.
- Select Relaunch to apply the change.
By default, the WARP client blocks outgoing SMTP traffic on port 25 to prevent users from abusing our service to send spam. Modern email service providers use port 587 or 465 to encrypt emails over a TLS/SSL connection. For more information, refer to What SMTP port should be used? ↗.
If you need to unblock port 25, contact your account team.
This issue can occur when communicating with an origin that partially supports HTTP/2. In these scenarios, the connection from Gateway to the website starts using HTTP/2 but requests a downgrade to HTTP/1.1 for some requests. For example, servers such as Microsoft Internet Information Services (IIS) ↗ do not support authentication over HTTP/2. When errors occur, the website may send back a RST_STREAM frame with the error code HTTP_1_1_REQUIRED, which indicates that the browser should retry the request over HTTP/1.1. Gateway translates any received upstream RST_STREAM frames to a pseudo socket close, so this appears as a 502 Bad Gateway exception page. The browser will not indicate why it failed.
Gateway does not support this downgrade mechanism. When receiving the HTTP_1_1_REQUIRED error code, Gateway will not reissue requests over HTTP/1.1. To make the connection from Gateway to the website successfully, you will need to disable HTTP/2 at the origin.
If you see an error with the title This site can't provide a secure connection and a subtitle of <hostname> uses an unsupported protocol, you must order an Advanced Certificate.
If you added a multi-level subdomain (more than one level of subdomain), you must order an Advanced Certificate for the hostname as Cloudflare's Universal certificate will not cover the public hostname by default.
As of February 2, 2025, my end-user device's browser is returning a Your connection is not private warning.
The default global Cloudflare root certificate expired on 2025-02-02 at 16:05 UTC. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors. If you did not generate a new certificate before February 2, 2025, you will encounter browser warnings like Your connection is not private.
Starting with WARP client version 2024.12.554.0 and later, the WARP client will automatically install Cloudflare certificates in an end-user device's certificate store as soon as the Cloudflare certificates appear as Available in the Cloudflare dashboard.
For WARP client versions prior to 2024.12.554.0, certificates had to be marked as In-Use in the Cloudflare dashboard before the WARP client could push the Cloudflare certificates to an end-user device's certificate store.
Before deploying a new certificate, update WARP to version 2024.12.554.0 or newer.
For WARP client versions before and after 2024.12.554.0, certificate propagation will only occur when the WARP client is responsible for automatically installing the certificate on the client device. To enable the WARP client to propogate certificates:
- In Zero Trust ↗, go to Settings > WARP Client.
- Turn on Install CA to system certificate store.
If Install CA to system certificate store is turned off, you must manually install the certificate, use an MDM solution to distribute the Cloudflare certificate to your fleet of devices, or not use the Cloudflare certificate because you do not want to have TLS decryption enabled. TLS decryption must be enabled to enforce Gateway HTTP policies for HTTPS traffic.
After enabling certificate propagation, you must update your certificate:
- In Zero Trust ↗, go to Settings > Resources, then select Manage next to Cloudflare certificates.
- Select Generate certificate.
- Select the expiration date for this new certificate (five years is the default, but this can be adjusted) and select Generate certificate.
- The new certificate will be marked Inactive at first. Select the three dots to the right of the certificate, then select Activate to activate the certificate.
For WARP versions on or above 2024.12.554.0, selecting Activate will download the new certificate to end-user devices.
Certificate propagation to end-user devices can take up to 24 hours, but can be expedited by resetting the encryption keys.
To reset the encryption keys:
- Open the WARP GUI on your device.
- Select the gear icon on the top right > Preferences.
- Select Connection, then select Reset Encryption Keys.
macOS Big Sur and newer releases do not allow WARP to automatically trust the certificate. You must either manually trust the certificate as the user or use a MDM to trust the certificate.
After confirming that the certificate is installed and trusted on the end-user device, mark the certificate as In-Use. To mark the certificate as In-Use:
- In Zero Trust ↗, go to Settings > Resources, then select Manage next to Cloudflare certificates.
- Select a certificate.
- In the detailed menu under Basic Information, select Confirm and turn on certificate.
- Once turned on, the new certificate will now show as In-Use in Zero Trust. In-Use indicates that the certificate is being used for inspection.
It is recommended to have end users disconnect and reconnect WARP to expedite this change being reflected on their local machine. To verify the new certificate is being used correctly:
- Connect to WARP.
- Visit an HTTPS site.
- Verify that no certificate error is enountered.
Additionally, you can check the certificate used within your browser by viewing the certificate (steps vary by browser, but you can generally do this check by selecting the lock icon next to the URL) and verifying the Organizational Unit (OU) does not reference ECC Certificate Authority.
The new certificate will be valid until the configured expiration date.
If the new certificate is not activating on the end-user device or you are getting a Certificate is missing warning even though the certificate is marked In-Use. Refer to the following troubleshooting options:
- 
Rotate the keys used by WARP to force activate the new certificate by running: Terminal window warp-cli tunnel rotate-keys
- 
Upgrade to WARP version 2024.12.554.0. Some customers who are on versions earlier than 2024.11.309.0 have experienced inconsistencies with certificate installation and may need to upgrade. 
- 
Turn off TLS Decryption. 
If no measure is working quickly and you are encountering browser warnings that are blocking work, turning off TLS decryption will prevent HTTP policies from being enforced and will ensure websites resolve until the certificate can be deployed to more user devices.
Turning off TLS decryption should be a temporary measure. TLS decryption should be turned on if you need to enforce HTTP policies and log traffic for HTTPS traffic.
If you deleted the OAuth client (or the OAuth client expired) in Google, you will receive a Error 401: deleted_client authorization error.
To fix this issue, complete steps 6 through 12 in the Google guide and steps 9 through 15 in the Google Workspace guide.
I entered an override code for WARP that was supposed to be valid for 3 hours but the override code expired faster than I expected.
Admin override codes are time-sensitive and adhere to fixed-hour time blocks. Override codes can be reused until the end of their timeout. An override code's timeout begins in the hour the override code was generated in. Refer to the following scenarios.
If admin generates an override code with a timeout of one hour at 9:00 AM and the user inputs the override code in their device at 9:59 AM, the user will be able to toggle WARP on and off until 10:59 AM (a one hour duration.)
However, if the user attempts to enter the override code at 10:00 AM, the override code will not work. The override code will not work because the override code was generated at 9:00 AM and its one hour validity was counted as used in the 9:00 AM to 10:00 AM hour.
If admin generates an override code with a timeout of three hours at 9:30 AM and the user inputs the override code in their device at 9:59 AM, the user will be able to toggle WARP on and off until 12:59 PM (a three hour duration.)
However, if the user attempts to enter the override code at 10:00 AM, the override code will only be valid until 12:00 PM (a two hour duration). The override code was generated at 9:30 AM and one hour of its total three hour validity was counted as used in the 9:00 AM to 10:00 AM hour.
If admin generates an override code with a timeout of 24 hours at 12:30 PM and the user inputs the override code in their device at 12:59 PM the same day, the user will be able to toggle WARP on and off until 12:59 PM the next day (a 24 hour duration.)
However, if the user attempts to enter the override code at 1:00 PM the same day, the override code will only be valid until 11:00 AM the next day (a 23 hour duration). The override code was generated at 12:30 PM and one hour of its total 24 hour validity was counted as used in the 12:00 PM to 1:00 PM hour.
If the user attempts to enter the override code at 11:59 AM the next day, the override code will only be valid until 12:59 PM (a one hour duration). The override code was generated at 12:00 PM and 23 hours of its total 24 hour validity were counted as used from 12:00 PM to 11:00 AM the next day (a 23 hour duration).
I disabled WARP using an override code but WARP turned on by itself before my override code expired.
If you are using an Admin override code with Auto connect also enabled, WARP will turn on automatically according to the Timeout set for Auto connect. Using an override code to override the WARP lock switch will not disable Auto connect. As best practice, review your Auto connect settings before sending the override code to the user.
To prevent WARP from auto connecting while using an admin override code, disable Auto connect or set a longer Timeout for Auto connect. Note the changes you make to Auto connect while the end user is using the admin override code if you need to revert these changes later.
This error is returned when proper API permissions are not set up in the identity provider. When Cloudflare attempts to fetch user/group information from the identity provider and proper API permissions have not been configured, the Failed to fetch user/group information from the identity provider error will appear. Review the SSO integration guide for your identity provider to ensure your application has the appropriate API permissions.
For example, Microsoft Entra and Okta have required permissions stated in their integration guides.
You can also examine logs in your identity provider to identify any denied requests related to API access.
If your WSL2 environment is losing connectivity while using WARP, check your split tunnel configuration.
The issue may arise because the IP range that the WSL environment uses to communicate with the host device is included in the split tunnel configuration. Excluding the WSL environment’s IP range should restore connectivity.
You must ensure the host device is included in the WARP tunnel while excluding the WSL environment to prevent connectivity issues between WSL and the host device.
- Review the WSL2 environment's IP address and compare it with the laptop’s IP.
- Check if the WSL network is included in the split tunnel configuration.
- If the WSL network is included, exclude it from the split tunnel to prevent connectivity issues.
This issue can occur due to a conflict between browser settings and Windows network configuration.
In Chromium-based browsers like Chrome and Edge, the Anonymize local IPs exposed by WebRTC flag (chrome://flags/#enable-webrtc-hide-local-ips-with-mdns or edge://flags/#enable-webrtc-hide-local-ips-with-mdns)  — when set to Enabled or left at Default — hides local IP addresses by replacing them with mDNS hostnames. Multicast DNS (mDNS) hostnames rely on multicast traffic to be resolved properly on the local network.
The Internet Group Management Protocol (IGMP) ↗ allows devices to join a multicasting group. On Windows, IGMPLevel determines whether the system participates in multicast group membership. When IGMPLevel is set to 0, multicast support is disabled.
To resolve this error, review the following options:
| IGMPLevel | Anonymize local IPs exposed by WebRTC setting | Result in Clientless Web Isolation | 
|---|---|---|
| 0(disabled) | Enabled / Default | ❌ Blank screen | 
| 0(disabled) | Disabled | ✅ Works - browser will use local IP address | 
| 2(enabled) | Enabled / Default | ✅ Works - mDNS resolves successfully | 
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark