How is 523 different from 521 and 522?

521 means Cloudflare reached the origin host and it refused the connection. 522 means Cloudflare reached the host but the handshake timed out. 523 is more fundamental: Cloudflare cannot find a route to the origin's IP at all — there is no host to talk to. It is the network-layer equivalent of 'no route to host.'

Why did 523 appear right after I changed hosting?

Because the A/AAAA record in Cloudflare DNS still points at the old origin IP. When you move hosts, the new server has a new IP; the proxied record must be updated to match. Until it is, Cloudflare keeps routing to an address that no longer answers, which surfaces as 523.

My origin IP responds to ping. Why still 523?

Ping uses ICMP, which can take a different path or be allowed while TCP is blocked. 523 is about Cloudflare's route to the IP, not yours. If a provider has null-routed the address or a tunnel (Spectrum/Magic Transit) is down, Cloudflare cannot reach it even though your ping from elsewhere succeeds.

Views: 19

523 Origin Is Unreachable (Cloudflare) Fix

Cloudflare 523 means Cloudflare can't route to your origin's IP. Fix it in 3 checks: stale A record, dead origin, routing. Free instant check, no sign-up.

Check your domain for this issue now

Free, no sign-up. Runs the exact check this guide describes and shows what to fix.

Problem

Cloudflare returns Error 523: Origin is unreachable. Cloudflare’s edge tried to reach the IP configured for your origin and could not get a route to it at all — not refused, not timed out, simply nowhere to send the packet. This is the network-layer “no route to host,” and it almost always means the address Cloudflare is aiming at is wrong, dead, or unroutable.

Symptoms

Cloudflare’s branded error page shows Error 523.
The error is usually total and consistent, not intermittent — every request fails the same way.
It frequently appears right after a hosting migration, an origin IP change, or a DNS edit.

Top 3 Causes

The A/AAAA record points at a stale or wrong IP - This is the most common cause. The proxied origin record in Cloudflare DNS still holds an old IP after a host move, or a typo put the wrong address in. Cloudflare faithfully routes to an IP where nothing lives.
The origin is completely offline - The server is powered down, the instance was terminated, or its network interface is gone. There is no host at the IP to route to — distinct from a 521, where the host is up but refuses, or a 522, where it is up but silent.
A routing or tunnel failure sits between Cloudflare and the origin - The hosting provider null-routed the IP (often during DDoS mitigation), an upstream BGP problem broke the path, or — for Cloudflare Spectrum / Magic Transit setups — the GRE or IPsec tunnel to the origin is down. The IP may be valid but unreachable from Cloudflare’s network.

Diagnose with DechoNet

DNS Check on your origin’s real hostname (or the bare record you point Cloudflare at) to confirm it resolves to the IP you actually expect — not a leftover from the old host.
Port Check against that origin IP for 80 and 443 to confirm the address is reachable from outside at all. A total timeout on every port is consistent with an unroutable or offline origin.

Resolution Checklist

In the Cloudflare dashboard, open DNS and read the origin IP on the proxied A/AAAA record. Compare it byte-for-byte against the IP your host shows for the live server.
Confirm the origin is actually up at the network level from a third location: ping ORIGIN_IP and curl -v --connect-timeout 20 http://ORIGIN_IP. If both fail from everywhere, the origin or its route is down — fix that before touching Cloudflare.
If you just migrated hosts, update the proxied record to the new origin IP and wait for the edge to pick it up (proxied records propagate within Cloudflare quickly, but give it a minute).
Ask the host whether the IP has been null-routed or rate-limited upstream — this is common during DDoS scrubbing and produces a clean 523.
For Spectrum / Magic Transit, verify the GRE or IPsec tunnel is up and the origin is advertising the right routes; a dropped tunnel takes the origin unreachable while the dashboard still looks fine.
Re-run DNS Check and Port Check to confirm the record points at a live, reachable IP, then reload the site.

When to Escalate

If DNS and the origin both check out from multiple locations but Cloudflare still returns 523, the problem is on the path between Cloudflare and your host. Open a ticket with the hosting provider (and, if it persists, Cloudflare) with your traceroute and the exact origin IP.
A 523 that flips on and off in lockstep with attack traffic is almost always automated null-routing on the provider’s side — escalate to the host’s DDoS/network team rather than retrying.