522 Connection Timed Out
The HTTP 522 Connection Timed Out status code is an unofficial server error specific to Cloudflare. This error occurs when Cloudflare's TCP connection attempt to the origin server times out before a connection is established.
Usage
Cloudflare is a content delivery network acting as a reverse proxy between clients and origin servers. The 522 error means Cloudflare attempted a TCP handshake with the origin but received no SYN-ACK within the timeout window (19 seconds).
Common causes include:
- The origin server is overloaded and unable to accept new connections.
- A firewall or security group is silently dropping packets from Cloudflare IP addresses instead of rejecting them.
- Network routing issues between Cloudflare and the origin.
- The origin's IP address in the Cloudflare DNS settings is incorrect.
Note
Unlike 521 Web Server Is Down, where the origin actively refuses the connection, a 522 means the connection attempt received no response at all.
SEO impact
Search engines treat Cloudflare 522 responses as server errors. Persistent connection timeouts reduce crawl rate and prevent indexing of affected URLs. Fixing the TCP handshake failure restores normal crawling.
Example
A client sends a request through Cloudflare. The origin server does not respond to the TCP handshake within the timeout period, and Cloudflare returns a 522 error.
Request
GET /products HTTP/1.1
Host: www.example.re
Accept: text/html
Response
HTTP/1.1 522 Connection Timed Out
Date: Sun, 02 Mar 2026 10:25:00 GMT
Content-Type: text/html
Server: cloudflare
CF-RAY: 8a1b2c3d4e5f6-ORD
<html>
<head><title>522 Connection Timed Out</title></head>
<body>
<h1>Error 522</h1>
<p>Connection timed out</p>
</body>
</html>
How to fix
Cloudflare retries the TCP handshake with a backoff sequence of 1, 1, 1, 1, 1, 2, 4, and 8 seconds before giving up. The origin must return a SYN-ACK within this window, and acknowledge the resource request within 90 seconds after the connection opens.
Allowlist all Cloudflare IP ranges in iptables, security
groups, or the hosting provider's firewall. Silent
packet drops (as opposed to TCP RST rejections) are the
most common cause of 522 errors. Retrieve the current
list from cloudflare.com/ips.
Enable HTTP keepalives on the origin web server. In
Apache, set KeepAlive On with a KeepAliveTimeout of
at least 60 seconds. In Nginx, set
keepalive_timeout 75s;. Cloudflare reuses persistent
TCP connections, so disabled keepalives force repeated
handshakes, increasing the chance of a timeout.
Confirm the origin IP address in the Cloudflare DNS settings matches the current server. A stale A or AAAA record pointing to an old IP address causes silent connection failures.
Run an MTR or traceroute from the origin to the Cloudflare IP shown in the origin's access log. This identifies routing problems or packet loss between the two networks. If the origin is overloaded, add capacity or reduce connection concurrency so the TCP backlog does not fill up.
Takeaway
The 522 Connection Timed Out status code is a Cloudflare-specific error generated when Cloudflare was unable to complete a TCP handshake with the origin server within the allowed time.
See also
- 520 Web Server Is Returning an Unknown Error
- 521 Web Server Is Down
- 524 A Timeout Occurred
- Troubleshooting Cloudflare Errors
- HTTP status codes
