Cloudflare Error 523: Origin Is Unreachable

Quick reference

Code	523 Origin Is Unreachable
Category	Cloudflare Edge Error
Standard HTTP?	No — Cloudflare proprietary
Vendor reference	Cloudflare documentation

What 523 means

Cloudflare 523 "Origin Is Unreachable" means Cloudflare knows the origin IP address (from your DNS records) but cannot route a packet to that address. Unlike 521 (connection refused) and 522 (TCP timeout), 523 is a layer 3 problem — the IP is not reachable at all, rather than being reachable but unavailable at the TCP or HTTP layer.

This is what a network engineer would describe as an ICMP "Destination Host Unreachable" condition: the routing infrastructure between Cloudflare's edge and the origin host has no path to the destination. This can be a routing table issue on the origin's side, a network outage affecting the path between Cloudflare and the origin, or a misconfigured IP address in Cloudflare's DNS records.

The most common cause in practice is a misconfigured DNS A record. When a domain uses Cloudflare as its authoritative DNS, the A record in Cloudflare's DNS settings must point to the actual origin server IP — not to a Cloudflare IP (which would create a loop). If the domain's DNS is still pointing to an old, decommissioned server IP, or to a Cloudflare anycast IP, 523 is returned.

Common causes and diagnosis

Wrong origin IP in Cloudflare DNS. The most frequent trigger. Check what IP Cloudflare is trying to connect to:

# Find the A record Cloudflare has for your domain: # In Cloudflare Dashboard: DNS → Records → look at the orange-cloud A record # Verify that IP is actually your origin server: ssh user@ORIGIN_IP # or test directly: curl -v --connect-to ::ORIGIN_IP: https://yourdomain.com/ # Compare with what DNS currently resolves to: dig +short yourdomain.com @8.8.8.8

Self-referencing Cloudflare IP. If an A record points to a Cloudflare anycast IP (103.21.x.x, 104.16.x.x, 198.41.x.x, etc.), Cloudflare loops back to itself and returns 523. Always point origin A records to the actual server IP, not a Cloudflare IP.

# Check if the origin IP is in Cloudflare's range: # Cloudflare IP ranges: https://www.cloudflare.com/ips/ # If your origin IP matches these ranges, it is misconfigured

Decommissioned or migrated server. The origin server was moved to a new IP but Cloudflare's DNS records were not updated. The old IP is no longer assigned to any host, and routing to it fails. Update the A record in the Cloudflare DNS dashboard to the new IP.

Network outage between Cloudflare and origin. A BGP routing problem, datacenter outage, or peering issue can break the path between Cloudflare edge servers and the origin network. This is typically visible as a sudden onset of 523s from all Cloudflare edge locations simultaneously. Check your hosting provider's status page and run a traceroute from within the origin network toward Cloudflare IPs.

Origin firewall blocking ICMP. Some 523 cases occur when a strict firewall drops ICMP unreachable messages, masking the true cause. The connection attempt silently fails without a readable error. If Cloudflare cannot reach the host via TCP either, 523 is returned instead of 522.

Fix checklist

1. Log into the Cloudflare dashboard and verify the origin A record points to the correct server IP.

2. SSH to the origin server and confirm it is running and network-accessible.

3. Run a traceroute from the origin server toward Cloudflare's IP ranges to confirm routing outbound:

traceroute 1.1.1.1 # Cloudflare DNS — useful routing test traceroute 104.16.0.1 # Cloudflare anycast IP

4. If using a VPC, cloud network, or datacenter with BGP routing, check whether the origin's subnet is properly announced and whether the security group or network ACL allows outbound traffic to Cloudflare.

5. Test from a network outside both Cloudflare and the origin to confirm the origin IP is globally routable:

curl -v http://ORIGIN_IP/ # should connect if globally routable

523 vs related errors

Code	Network layer	Specific failure
523	Layer 3 (IP routing)	No route to origin IP
521	Layer 4 (TCP)	Origin reachable but connection refused
522	Layer 4 (TCP)	Origin reachable but TCP SYN timed out
524	Layer 7 (HTTP)	Connected but request timed out

Frequently asked questions

How do I find what IP Cloudflare is connecting to?

Check the orange-cloud A record in Cloudflare's DNS dashboard. The "Content" column shows the IP Cloudflare forwards traffic to. This is the IP Cloudflare uses as the origin — not the Cloudflare IP your users see in DNS lookups.

Can 523 occur on a proxied (orange-cloud) record?

Yes. Orange-cloud records are proxied through Cloudflare, and Cloudflare connects to the origin IP listed in the DNS record. If that IP is wrong or unreachable, 523 is returned regardless of proxy status.

Does Cloudflare cache 523 responses?

No. Cloudflare does not cache 5xx error responses. Each failed request generates a new connection attempt to the origin. If the origin IP becomes reachable, subsequent requests will succeed immediately without cache invalidation.

What if I cannot change the origin IP right now?

As a temporary measure, enable Cloudflare Always Online to serve cached pages, or set up a Cloudflare Worker to return a maintenance page while the origin IP issue is resolved. Neither fixes the underlying routing problem but maintains user-visible availability.

Server Errors Hub · All Guides · Home