Connection Timed Out
Production Risk
Critical — all Cloudflare-proxied traffic fails. Usually indicates an overloaded or unreachable origin.
522 Connection Timed Out is a Cloudflare-specific error indicating that Cloudflare's TCP handshake with the origin server timed out. Cloudflare was unable to complete the initial connection to the origin within the timeout window.
- 1The origin server is overloaded and not accepting new TCP connections quickly enough.
- 2A network issue between Cloudflare and the origin server is causing packet loss.
- 3The origin server's TCP stack is exhausted (too many connections in TIME_WAIT or SYN_RECV).
- 4A firewall is silently dropping connection attempts (not sending RST — causing timeout rather than 521).
The origin server is under heavy load and TCP handshakes are timing out.
# Cloudflare attempts TCP handshake with origin # SYN sent → no SYN-ACK received within timeout
expected output
HTTP/1.1 522 Connection Timed Out
Fix 1
Scale the origin server or add capacity
WHEN The origin is overloaded.
# Check origin server load uptime netstat -an | grep -c ESTABLISHED # Scale horizontally or vertically as needed
Why this works
Reducing load on the origin server allows it to complete TCP handshakes promptly.
Fix 2
Check for firewall silently dropping connections
WHEN The origin appears healthy but 522s persist.
# Test TCP connectivity from another server nc -zv origin-server-ip 443 # If timeout (not refused), firewall is dropping packets
Why this works
Identifies whether a firewall is blocking Cloudflare's IPs without sending RST packets.
Cloudflare-specific. 522 = TCP timeout; 521 = connection actively refused.
Cloudflare 5xx error documentation
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#522 ↗Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev