# website errors# troubleshooting# cloudflare
Origin Server Unreachable: Cloudflare Error 523
Cloudflare Error 523 means Cloudflare can't establish any connection to your origin server at all. Not a refused connection, not a timeout — simply unreachable. Cloudflare can't find a route to your server.
While a 521 error means the server refused Cloudflare's connection, and a 522 error means it timed out, a 523 is more fundamental — Cloudflare can't even initiate the TCP handshake.
What Causes a 523 Error?
The Server's IP Address Has Changed
The most common cause. If your origin server was moved to a new IP address but Cloudflare's DNS record for the origin still points to the old IP, Cloudflare will try the old address — and find nothing there.
This happens when you:
- Migrate to a new hosting provider
- Get a new server with a new IP
- Rebuild a server from scratch
Fix: Update the A record or AAAA record in Cloudflare's DNS settings to point to your new server IP. Note that Cloudflare proxies requests, so the IP you enter in Cloudflare DNS is your origin server's IP, not Cloudflare's.
The Origin Server Is Completely Down
If your physical or virtual server has failed — a hard drive crash, a cloud provider outage, a VM being shut down — it won't respond to any connection attempts. Cloudflare can't reach it, full stop.
Contact your hosting provider to check server status if the server appears unreachable from all sources.
Routing or Network Issue Between Cloudflare and Origin
Network-level issues — a BGP routing change, a faulty network device at the data centre, or your hosting provider's upstream having problems — can make your server unreachable from Cloudflare's network even if the server itself is running fine.
Test this by attempting to SSH into your server from your own connection. If you can SSH in but Cloudflare still shows 523, it's a routing issue specific to Cloudflare's path to your origin.
Origin Server IP Is Blocked or Firewalled
If your server firewall has been tightened to only allow specific IPs, or a security tool has added a blanket block, Cloudflare's IPs might not be able to reach the server at the TCP level — similar to what causes a 522, but more severe.
At the 523 level, it's often a firewall that's dropping packets before even a TCP handshake can complete.
Server Is Running But Network Interface Is Down
In rare cases, the server is online and the OS is running, but the network interface has failed or been disabled. The server can't receive or send any network traffic.
How to Diagnose a 523 Error
Check if Your Server Is Actually Up
Try to SSH into the server or access it via your hosting provider's console. If you can't get in at all, the server itself is the problem.
ssh user@your-server-ip
ping your-server-ip
Verify the IP in Cloudflare DNS
In your Cloudflare dashboard, go to DNS > Records and check that the A record for your domain points to your current server IP. Compare it against the IP shown in your hosting provider's dashboard.
Test From Outside Cloudflare
Try curling your server IP directly:
curl -v http://YOUR_SERVER_IP --header "Host: yourdomain.com"
If this works but Cloudflare still shows 523, the issue is between Cloudflare and your origin — likely a routing or firewall issue.
Check for Cloudflare IP Blocks
Confirm Cloudflare's IP ranges are allowed through your server firewall:
sudo ufw status
sudo iptables -L -n
The full list of Cloudflare IP ranges is available at cloudflare.com/ips.
How to Fix a 523 Error
If the IP changed: Update the DNS record in Cloudflare to point to the new IP. Changes propagate to Cloudflare's network quickly — usually within a few minutes.
If the server is down: Work with your hosting provider to restore the server. If it's a cloud server, check your provider's console for the server's current state and restart it if necessary.
If it's a routing issue: Contact your hosting provider. Provide them with a traceroute from a public server to your origin IP to show where packets are being dropped.
If Cloudflare is blocked: Add Cloudflare's IP ranges to your firewall whitelist. Also check any security tools (CSF, fail2ban, ModSecurity) that might have auto-blocked Cloudflare traffic.
Preventing 523 Errors
The two main preventable causes are:
- IP changes during migrations — Always update Cloudflare DNS immediately when moving servers, before decommissioning the old one
- Unmonitored server failures — A server that goes down without anyone knowing about it will show a 523 until someone notices
Domain Monitor monitors your website from multiple global locations every minute. If your site starts showing Cloudflare errors, you'll know about it within minutes — not hours. Combine that with downtime alerts to make sure the right person gets notified immediately.
Related Articles
More posts
What Is Generative AI? How It Works and What It Creates
Generative AI creates new content — text, images, code, and more. This guide explains how it works, what tools are available, and where it's genuinely useful versus overhyped.
Read moreWhat Is Cursor AI? The AI Code Editor Explained
Cursor AI is an AI-powered code editor built on VS Code. Learn what it does, how it works, and whether it's the right tool for your development workflow.
Read moreWhat Is Claude Opus? Anthropic's Most Powerful Model Explained
Claude Opus is Anthropic's most capable AI model, built for complex reasoning and demanding tasks. Learn what it does, how it compares, and when to use it.
Read moreSubscribe to our PRO plan.
Looking to monitor your website and domains? Join our platform and start today.