Skip to content

Add ICMP in suggested firewall port ranges for cloudflareD #24071

New issue
New issue
Open
Open
Add ICMP in suggested firewall port ranges for cloudflareD#24071
Assignees
deadlypants1973
Labels
content:newRequest for new/missing contentdocumentationDocumentation editsproduct:cloudflare-one
@mrennells

Description

@mrennells
mrennells
opened on Jul 30, 2025

Proposed changes

Hi, I'm a Cloudflare Solutions Engineer here for US Public Sector.

On the following documentation page: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/

A customer has brought it to my attention that Customer Support had told him to also allow ICMP. Could we update this document to also suggest ICMP be allowed to the Argo IP ranges.

Reference Cloudflare Customer Support Ticket 01530899, See note from TAC engineer dated 5/May/2025, that reads:

While looking over your logs the ICMP denies seen in the firewall logs directly correlate with the Cloudflare Tunnel’s QUIC failure. When Cloudflared cannot maintain a QUIC connection and is unable to probe the health of remote endpoints due to ICMP being blocked, it can trigger a connector failover, resulting in dropped or reset TCP sessions (like SSH or web sessions with strict source IP binding).
While ICMP is not strictly listed as a required protocol in Cloudflare’s firewall configuration guide, allowing specific ICMP types can significantly improve connection stability, particularly:

Type 3 Code 3 (Destination Unreachable – Port Unreachable)

Type 8 Code 0 (Echo Request – optional for diagnostics)

Type 11 Code 0 (Time Exceeded – helps with path probing)

I would suggest in this case trying to update the aCL_DMZ-1 ruleset to permit outbound ICMP traffic from the tunnel connectors to the Cloudflare region*.v2.argotunnel.com IP ranges (198.41.192.0/24 and related).

This change should reduce false-positive failovers, improve session reliability (especially for systems like F5 with IP-pinning policies), and ensure the tunnel can effectively evaluate upstream availability.

Please let me know if the suggestion above revolves the issue you are having or if you have any additional questions.

Just a suggestion to make this documentation work better for our customers and to hopefully help minimize help tickets. Thanks! -Matt

Subject Matter

Add suggested ports to open in firewall for cloudflareD connectivity.

Content Location

Should be added in https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/ below the "required" section. Could be "suggested/optional" section perhaps?

Additional information

No response

Metadata

Metadata

Assignees

Labels

content:newRequest for new/missing contentdocumentationDocumentation editsproduct:cloudflare-one

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions