[CF1] tunnel connectivity troubleshooting guide

[deadlypants1973]

Summary

Screenshots (optional)

Documentation checklist

• Is there a changelog entry (guidelines)? If you don't add one for something awesome and new (however small) — how will our customers find out? Changelogs are automatically posted to RSS feeds, the Discord, and X.
• The change adheres to the documentation style guide.
• If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
• Files which have changed name or location have been allocated redirects.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/	@nikitacano, @ranbel, @cloudflare/pcx-technical-writing

[github-actions]

Preview URL: https://acf3ffb4.preview.developers.cloudflare.com
Preview Branch URL: https://kate-fixes-tunnel-tb-guide.preview.developers.cloudflare.com

Files with changes (up to 15)

Original Link	Updated Link
https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/connectivity-prereqs/	https://kate-fixes-tunnel-tb-guide.preview.developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/troubleshoot-tunnels/connectivity-prereqs/

[nikitacano]

I don't think we want to say it like this, even though it is true. We need customers to benefit from high availability and built-in resilience of the product.

So for the purpose of the troubleshooting guide customers can test against one IP in one region, but to have a setup that is working, resilient and supported by us, they must ensure cloudflared connectivity to both regions.

[deadlypants1973]

@nikitacano agreed, this was just notes leftover from our meeting, not final draft content

[nikitacano]

Same here: we absolutely require customers to have connectivity to both regions in order to consider their deployment supported.

[deadlypants1973]

@nikitacano updated the PR with a full first draft. added questions for you marked as (question) within the doc.

[nikitacano]

Then investigate with your system administrator and / or ISP provider why your local resolver is returning a different response. Recursive DNS resolvers should return the same response as the authoritative DNS server since the authoritative server is always the source of truth where each hostname should point to.

[nikitacano]

... blocking DNS traffic altogether (UDP on port 53) or specific DNS queries related to Cloudflare.

[nikitacano]

We should link to https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/cloudflared-parameters/run-parameters/#protocol here.

[nikitacano]

Either allow TCP on your local network firewall on port 7844 or stop forcing http2 to allow cloudflared to connect over QUIC instead.

[nikitacano]

Either allow UDP on local network firewall on port 7844 or stop forcing QUIC to allow cloudflared to connect over HTTP/2 instead.

[nikitacano]

Allow all traffic over port 7844 on local network firewall and, if that doesn't help, troubleshoot this with your ISP or service provider.

[nikitacano]

This section is good, however customer will not narrow down whether they are using stateful vs stateless firewall without taking packet captures of their traffic on the host machine. Unfortunately, netcat (nc) output will be the same in both situations. Thus, I wonder if this is too advanced for a generic user and as such we could leave it out since stateless firewalls are quite uncommon these days.