This error indicates an interrupted connection between Cloudflare and your origin’s Railgun server (rg-listener). Common causes include:

  1. Firewall interference
  2. Network incidents or packet loss between the Railgun server and Cloudflare
  3. Connection Timeouts

    this Railgun log errors indicate a connection failure between the Railgun Listener and your origin web server:

    • connection failed dial tcp i/o timeout

              no response from origin (timeout)

  4. LAN timeout exceeded
    This log error is generated if the origin web server does not send an HTTP response to the Railgun Listener within the 30 second default timeout:
    • connection failed dial tcp i/o timeout
      The time is adjusted by the timeout parameter of the railgun.conf file.
  5. Connection Refusals

    the following errors appear in the Railgun logs when requests from the Railgun Listener are refused:

    • Error getting page: dial tcp refused
  6. TLS/SSL related errors
    The following errors appear in the Railgun logs if TLS connections fail:

    • connection failed remote error: handshake failure
    • connection failed dial tcp refused
    • connection failed x509: certificate is valid for, not


Causes 1 and 2

Step 1 : Contact Cloudflare Support

If contacting Cloudflare support, provide the following information from the Railgun Listener: 

  • The full content of the railgun.conf file
  • The full content of the railgun-nat.conf file
  • Railgun log files that detail the observed errors

Causes 3

Step 1: Contact For Assistance

Contact NET Support for assistance to test the connectivity issues between your origin web server and your Railgun Listener. For example, a netcat command tests connectivity when run from the Railgun Listener to the origin web server’s SERVERIP and PORT (80 for HTTP or 443 for HTTPS):

  • nc -vz SERVERIP PORT

Causes 4

Step 1: Increase lan.timeoutlimit

Either increase the lan.timeout limit in railgun.conf, or review the web server configuration. Contact NET support to confirm if the origin web server is overloaded.

Causes 5

Step 1: Whitelist IP

Whitelist the IP of your Railgun Listener at your origin web server’s firewall.

Causes 6

Step 1 : Check Web Server

Check the following on the origin web server and ensure that:

  • Port 443 is open
  • An SSL certificate is presented by the origin web server
  • the SAN or Common Name of the origin web server’s SSL certificate contains the requested hostname
  • SSL is set to Full or Full (Strict) in the Overview tab of the Cloudflare SSL/TLS app
Step 2 : Set cert=0

If your origin web server SSL certificate is self-signed, set cert=0 in railgun.conf.