Troubleshooting

Error 1002: DNS points to prohibited IP

This error occurs when you proxy a private IP address without the necessary entitlement. Contact your account team to request access.

Setting seems off but traffic routes through tunnel

Check for other records on the same name.

Private network routing applies per name, not per record. If you have multiple A or AAAA records on the same name and at least one of them has private network routing enabled, all records on that name will use private network routing.

Traffic not reaching origin

If traffic is not reaching your private origin:

Verify your tunnel is active and healthy in the Cloudflare dashboard.
Confirm the origin IP is routable within your private network.
Check that private_routing is set to true on the DNS record.
Verify the record has proxy status enabled.

Connection timeouts from clients

Cloudflare Source IP is set to a public range. Set it to a private /12. Refer to Configure Cloudflare source IPs.

Request times out with no response on the origin

The network where your origin lives has no return route for the Cloudflare Source IP range. Add a route that sends that range back through the tunnel.

Tunnel shows IKE established but health checks fail

ICMP is blocked on the path or the health check is misconfigured. Allow ICMP between the tunnel endpoints and confirm the health check direction is bidirectional and type is reply.

Traffic tries to route over the public Internet

The Use private network routing toggle is not turned on for the DNS record. Edit the record and turn the toggle on. Refer to Private network routing for dashboard and API steps.