Cloudflared Tunnel Connected But Site Still Times Out — Complete Debug Guide (2026)

How to fix Cloudflare Tunnel when the tunnel shows healthy but your site remains inaccessible

Few self-hosting problems are more frustrating than this.

You run your tunnel.

Cloudflared shows:

bash id="v6pxx8"

Connected to Cloudflare

Everything looks healthy.

No obvious errors.

Yet your public domain still times out.

The browser spins endlessly.

No response.

No useful error.

If you've ever self-hosted a Next.js app, internal dashboard, or Linux service behind Cloudflare Tunnel, you've probably seen this exact situation.

The tunnel is active.

But the site is still unreachable.

This guide walks through the complete production debugging workflow for fixing Cloudflared tunnels that appear connected but fail to serve traffic.

The 5 Most Common Causes

When a tunnel is connected but inaccessible, the problem usually falls into one of these categories:

1. DNS mismatch

2. Incorrect tunnel ingress config

3. Origin service unreachable

4. Nginx upstream failure

5. Credential or routing issues

Let's debug each one.

---

Step 1: Verify Tunnel Is Actually Connected

Start by checking tunnel status:

bash id="g6vjlwm"

cloudflared tunnel list

Healthy output should show:

bash id="4zx7ak"

STATUS: healthy

Then inspect logs:

bash id="4a0s48"

journalctl -u cloudflared -f

Look for:

bash id="j3v8v8"

Registered tunnel connection
Connection established

Bad signs include:

bash id="vtxi1i"

Tunnel credentials file doesn't exist
Unauthorized
Failed to serve tunnel connection

If credentials are broken, skip to Step 6.

---

Step 2: Validate DNS Mapping

This is the most common real-world failure.

Your tunnel is healthy, but DNS points somewhere else.

Check your DNS record in Cloudflare.

For a tunnel-backed domain, you should have:

bash id="6wq3rl"

Type: CNAME
Name: yourdomain.com
Target: <tunnel-id>.cfargotunnel.com
Proxy: Enabled

---

Validate DNS Resolution

Run:

bash id="v9h5pd"

dig yourdomain.com

or:

bash id="l9zkq9"

nslookup yourdomain.com

If resolution doesn't match your tunnel endpoint, DNS is misconfigured.

---

Common DNS Mismatch Issues

Old A Record Still Exists

Cloudflare may still point traffic to an old VPS IP.

Remove stale A records.

---

Multiple Conflicting Records

If both A and CNAME exist, routing becomes unpredictable.

Use one authoritative tunnel record.

---

Wrong Tunnel Target

A typo in tunnel UUID breaks routing entirely.

---

Step 3: Check Cloudflared Config

Inspect:

bash id="mvvbqf"

/etc/cloudflared/config.yml

Example working config:

yaml id="9qmhjl"

tunnel: your-tunnel-id
credentials-file: /root/.cloudflared/your-tunnel.json

ingress:
  - hostname: yourdomain.com
    service: http://localhost:3000
  - service: http_status:404

---

Common Config Mistakes

Wrong Local Port

Example:

yaml id="t2iqh8"

service: http://localhost:3001

while your app runs on:

bash id="gzll1d"

localhost:3000

This creates silent timeout behavior.

---

Missing Hostname Match

If ingress hostname doesn't match DNS hostname, routing fails.

---

Bad YAML Formatting

Even small indentation errors break routing.

Validate carefully.

---

Step 4: Confirm Origin Service Is Reachable

Cloudflare Tunnel only proxies.

Your local service must actually respond.

Test directly on the server:

bash id="p3e4go"

curl http://localhost:3000

Healthy response:

html id="pyh47o"

<!DOCTYPE html>
<html>

If curl hangs or fails, your tunnel is fine.

Your app is not.

---

Common Origin Failures

Next.js App Not Running

Check:

bash id="8a5rv2"

pm2 status

or:

bash id="s3ts7k"

ps aux | grep node

---

Port Conflict

You may see:

bash id="2ovwxv"

EADDRINUSE

Another service already owns the port.

---

App Crashed During Build

Verify logs:

bash id="c1dkrh"

pm2 logs your-app

---

Step 5: Debug Nginx Upstream

If Cloudflared points to Nginx instead of directly to Next.js:

yaml id="j9dphv"

service: http://localhost:80

Then Nginx becomes part of the chain.

Validate config:

bash id="ng5nfe"

sudo nginx -t

Then inspect upstream:

nginx id="9mrz0h"

location / {
    proxy_pass http://127.0.0.1:3000;
}

---

Common Nginx Problems

Wrong Upstream Port

Nginx proxies to dead service.

---

Missing Reverse Proxy Headers

For Next.js:

nginx id="j0v82o"

proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

---

Nginx Not Reloaded

After config changes:

bash id="s0vupq"

sudo systemctl reload nginx

---

Step 6: Validate Tunnel Credentials

Credential corruption causes misleading partial connections.

Check:

bash id="l5e2pi"

ls ~/.cloudflared

You should see:

cert.pem

tunnel-id.json

config.yml

---

If missing:

Re-authenticate:

bash id="hq25l9"

cloudflared tunnel login

Then recreate credentials:

bash id="xyr8nh"

cloudflared tunnel create mytunnel

---

Common Credential Errors

bash id="0j6a1g"

Tunnel credentials file doesn't exist

or:

bash id="blkg1r"

Unauthorized: failed authentication

These require credential regeneration.

---

Step 7: Test Full End-to-End Routing

Validate every layer.

---

Local app

bash id="ivjlwm"

curl localhost:3000

---

Nginx

bash id="m53l6t"

curl localhost:80

---

Public domain

bash id="vph76p"

curl https://yourdomain.com

Find the exact layer where failure begins.

This isolates the issue fast.

---

Production Debugging Sequence I Use

When a connected tunnel times out, I run this exact flow:

bash id="q5p6r6"

cloudflared tunnel list
journalctl -u cloudflared -f
curl localhost:3000
sudo nginx -t
pm2 status
dig yourdomain.com

This usually identifies the issue within minutes.

---

Prevention Checklist

To avoid future tunnel failures:

Use systemd for cloudflared

bash id="8x2xzr"

sudo systemctl enable cloudflared

---

Monitor tunnel logs

Persistent logging catches failures early.

---

Keep ingress config simple

Avoid unnecessary routing layers.

---

Validate DNS after changes

Cloudflare dashboard mistakes are common.

---

Test locally before exposing publicly

Always verify origin first.

---

Final Thoughts

A connected Cloudflared tunnel does not guarantee a reachable site.

Think of the request path like this:

Cloudflare Edge → Tunnel → Local Connector → Nginx → App

A failure anywhere in that chain causes timeouts.

The key is methodical isolation.

Check each layer.

Validate assumptions.

Debug from local origin outward.

That’s how production tunnel issues get solved fast.