Cloudflare Error 522: What It Means and How to Fix It

What Cloudflare 522 actually means

Cloudflare proxies your visitors' requests by opening a TCP connection to your origin server. 522 fires when the TCP three-way handshake (SYN → SYN-ACK → ACK) is not completed within Cloudflare's timeout — typically 15 seconds for the initial connection. The origin sent no SYN-ACK, meaning it either didn't receive the SYN (routing/firewall issue) or received it but couldn't respond (resource exhaustion, kernel backlog full). This is the most common Cloudflare error after 521.

Most likely causes (ranked)

1. Origin server overloaded — connection queue full, kernel dropping incoming SYNs
2. Firewall silently dropping Cloudflare's IP ranges instead of refusing them (causes 522 not 521)
3. Keepalive mismatch — origin closes idle connections faster than Cloudflare's 90s keepalive window
4. Network routing issue between Cloudflare's edge and the origin data center
5. Origin server resource exhaustion — too many open connections, file descriptor limit hit

How to fix Cloudflare 522

Step 1: Check origin server health

SSH into the origin. Check that the web server is running (systemctl status nginx). Check system load (top) and connection state:

ss -s

High numbers of CLOSE_WAIT or SYN_RECV states indicate connection handling problems.

Step 2: Whitelist Cloudflare IPs on the firewall

A firewall silently dropping (not refusing) Cloudflare connections produces 522 instead of 521. Add all Cloudflare IP ranges from cloudflare.com/ips to your server's allow list on ports 80 and 443.

Step 3: Fix keepalive settings

Cloudflare holds keepalive connections open for up to 90 seconds and reuses them. If your origin closes idle connections faster, Cloudflare's reuse attempt times out. In Nginx, set:

keepalive_timeout 75;

Step 4: Check for connection/fd exhaustion

Count open connections: netstat -an | grep ESTABLISHED | wc -l. Check file descriptor limits: ulimit -n. If you're hitting limits, increase them in /etc/security/limits.conf and tune net.core.somaxconn in /etc/sysctl.conf.

Step 5: Pause Cloudflare and test origin directly

In Cloudflare dashboard → Overview → Pause Cloudflare on Site. Access the site via the origin IP. If it loads, the web server is functional but Cloudflare's network cannot reach it — confirm firewall rules and routing allow Cloudflare IPs.

Frequently Asked Questions

What is the difference between 521 and 522?

521: the origin actively refused with a TCP RST — web server down or firewall blocking. 522: no TCP response at all — server unreachable or silently dropping packets. 521 is an explicit rejection; 522 is silence.

Why does 522 happen only on some requests?

Intermittent 522s typically mean the origin is resource-constrained under load — dropping connections when workers or file descriptors are exhausted. A keepalive mismatch can also cause first-request failures on reused sockets. Increasing keepalive_timeout and worker limits on the origin resolves most intermittent cases.