Connection Errors in Pakistan: ERR_QUIC_PROTOCOL, Connection Reset, and Cloudflare Issues
Applies to
Users experiencing connection errors:
- Chrome:
ERR_QUIC_PROTOCOL - Firefox:
PR_CONNECT_RESET_ERROR - General:
Connection was reset,Secure Connection Failed,ERR_CONNECTION_RESET
- Chrome:
- Users located in Pakistan
- Domains using Cloudflare nameservers
- Users on specific ISPs, particularly PTCL
- Site works fine on other ISPs in Pakistan
- Intermittent slowness, stalls, or resets on any port, including ordinary HTTP and HTTPS (80 and 443): the same URL or port may work for a while, then fail, then recover, with no change on the server
- Similar symptoms when opening cPanel or other tools (for example port 2083), alone or together with flaky web traffic
- Problems reported from Pakistani ISP networks; the same service typically behaves normally when tested from outside Pakistan on a clean path
Overview
Some clients in Pakistan are experiencing connection errors when accessing websites that use Cloudflare. These errors include ERR_QUIC_PROTOCOL, PR_CONNECT_RESET_ERROR, Connection was reset, Secure Connection Failed, and ERR_CONNECTION_RESET.
After thorough investigation, we've determined that the worst reports cluster on specific ISPs in Pakistan (most commonly PTCL). Cloudflare nameservers are a common trigger for browser errors, but the same ISP-level filtering can also produce intermittent issues to ordinary web ports and to direct hosting traffic, including to some Middlehost IPs. We do not see the same intermittent pattern attributed to Middlehost alone on typical networks outside Pakistan.
Why this happens
The root cause of these connection errors is related to Pakistan's Deep Packet Inspection (DPI) firewall system deployed by ISPs. This automated system monitors and filters internet traffic.
Technical Explanation
DPI Firewall Deployment: Pakistan has deployed a national internet firewall system (similar to China's Great Firewall) that monitors and filters internet traffic at the ISP level.
VPN Blocking: The firewall is configured to block unregistered VPNs. Cloudflare's WARP VPN service shares the same IP address ranges as Cloudflare's hosting/CDN infrastructure.
IP Blocking: The automated firewall system may mistakenly block Cloudflare IPs because it cannot distinguish between Cloudflare's VPN service (WARP) and their legitimate hosting/CDN services.
Connection Reset: When requests reach Cloudflare's IPs but the response is blocked by the firewall, users experience connection resets and various browser error messages.
Important: For the Cloudflare case, this is an ISP-level issue: traffic can reach Cloudflare, but the path back to you may be disrupted by filtering. It is not caused by a misconfigured site on the server.
Separately, the same class of ISP equipment can also affect traffic that never touches Cloudflare, including HTTPS on 443 and other services. Symptoms are often intermittent: a port or site can work, then stall or reset minutes later, with no change on the server. That can look like a hosting outage when the failure is still on the network path inside Pakistan.
Intermittent access from Pakistan (web ports, cPanel, and other services)
Beyond Cloudflare-fronted websites, we and some clients have seen a related pattern on Pakistani ISP paths: requests are intermittently intercepted or shaped between your device and the server. It is not limited to one port or one product. The same port can be fine for a session, then slow or reset later the same day. HTTP and HTTPS on 80 and 443 are included: public sites can stutter or fail alongside admin tools, depending on time, route, and how the ISP equipment classifies the flow.
We have called out cPanel over HTTPS on port 2083 because support has seen clear examples, but that is one example, not the full rule. Mail, SSH, APIs, and plain website traffic can all show the same kind of flakiness when the path is affected.
We have also started seeing similar behaviour aimed at some Middlehost server IPs (not only Cloudflare ranges): not every user and not every route, which matches ISP-level, semi-random handling rather than a single bad cable or a dead disk on the machine. Outside Pakistan, the same endpoints are typically reachable without this pattern, which again points to local ISP filtering and congestion in the middle, not a global Middlehost outage.
What to do: If you suspect this is affecting your connection to our IPs, whether on web ports or anything else, open a support ticket. Our team can confirm whether the symptom matches known path issues, suggest practical workarounds (different network, VPN where legal and appropriate, timing, or alternate access patterns), and point you to the right settings. We cannot redesign national networks, but we can help you separate "hosting fault" from "path fault" and reduce guesswork.
ISP-Specific Issue
This problem is ISP-specific in Pakistan:
- Most commonly reported: PTCL (Pakistan Telecommunication Company Limited)
- Other ISPs: May also be affected depending on their firewall configuration
- Testing confirms: The same website works fine when accessed from different ISPs in Pakistan
This confirms that the issue is related to how individual ISPs have configured their DPI firewall systems, rather than a nationwide block. Documentation and customer reports for this article are specific to Pakistan. If you see errors only abroad, start with normal connectivity and DNS checks before assuming the same root cause.
Solutions
Solution 1: Use Middlehost Nameservers (Recommended)
The most reliable solution is to switch from Cloudflare nameservers to Middlehost nameservers. This completely bypasses the Cloudflare infrastructure that's being blocked by the firewall.
Steps to Change Nameservers:
Log in to your domain registrar's control panel
Navigate to DNS management or nameserver settings
Change your nameservers to:
ns1.middlehost.comns2.middlehost.comns3.middlehost.comns4.middlehost.com
Save the changes
Wait for DNS propagation (usually 24-48 hours, but can be faster)
Note: After changing nameservers, you'll need to configure your DNS records (A, AAAA, CNAME, MX, etc.) in your Middlehost cPanel or hosting control panel.
Why this works: By using Middlehost nameservers, your domain's DNS queries and website traffic no longer route through Cloudflare's infrastructure, avoiding the blocked IP ranges entirely.
Limitation: Nameserver changes help when Cloudflare sits in front of your site. They do not remove ISP-side filtering or shaping of traffic to your hostname or IP on any port, including 80, 443, or cPanel on 2083. For intermittent failures on a Pakistani ISP, follow the section above and open a ticket if you need help confirming the path.
Solution 2: Disable HTTP/3 (QUIC) in Cloudflare
If you prefer to keep using Cloudflare, you can try disabling HTTP/3 (which uses QUIC protocol) in your Cloudflare settings. This has resolved the issue in some cases.
Steps to Disable HTTP/3 (QUIC):
Log in to your Cloudflare Dashboard
Select your account and zone (domain)
Go to Speed in the left sidebar
Click on Settings
Go to Protocol Optimization
For HTTP/3, switch the toggle to Off
Note: This solution may not work for all cases, as the firewall may still block Cloudflare IPs regardless of the protocol used. If disabling HTTP/3 doesn't resolve the issue, we recommend switching to Middlehost nameservers.
How to Verify the Issue
If you're experiencing connection errors, verify that this is the issue by:
Check your ISP: Confirm you're using PTCL or another affected ISP
Check nameservers: Verify your domain is using Cloudflare nameservers
- Use a DNS lookup tool (like
nslookupor online tools) - Check if your nameservers contain "cloudflare" in the domain name
- Use a DNS lookup tool (like
Test from different network: Try accessing the site from a different ISP or mobile data connection
Check error message: Confirm you're seeing one of the errors mentioned above
Geography and intermittency: When the same site or port sometimes works and sometimes does not on one Pakistani ISP, try mobile data, a different ISP in Pakistan, or a short test from outside Pakistan (or a legal off-PK VPN) using the same URL. If behaviour improves away from the original ISP or country path, the bottleneck is likely on the access network, not a steady fault on the server.
When to Contact Support
Contact Middlehost support if:
- You've changed nameservers but are still experiencing issues after 48 hours
- You need help configuring DNS records after switching nameservers
- You're unsure which solution is best for your situation
- You're experiencing different errors not mentioned here
- Any service (including plain websites on 80 or 443, or cPanel and other ports) is randomly slow, timing out, or resetting in a way that comes and goes, and you want help ruling out hosting versus ISP path issues
- You believe Middlehost IPs or ports on your account are affected by the same kind of intermittent filtering described above
For intermittent or IP-related symptoms on a Pakistani ISP, please create a ticket with your ISP name, exact URL or host and port, whether web (80 or 443) or another service failed, approximate times, and a traceroute or MTR from your connection if you can share it. That lets support give guidance tailored to your route and product.
When contacting support, please provide:
- Your domain name
- Current nameservers
- Your ISP name
- Screenshot of the error message
- Results of testing from different networks (if available)
- Which URLs or
host:portfailed (including HTTPS sites on 443 if relevant), which application (browser, cPanel, webmail, SSH, and so on), and whether the problem is steady or comes and goes
FAQs
Why does the same port or site work one moment and fail the next?
ISP middleboxes and congestion do not behave like a single on or off switch. Classification, load, and peering can change between flows, so you can occassionally see intermittent failures on the same port, including 80, 443, or 2083. That pattern still does not automatically mean your account is broken on the server.
Can my public website on 443 be affected even if I do not use Cloudflare?
Yes. Cloudflare is one common trigger for certain errors, but DPI and related filtering can still affect direct HTTPS to your origin or to Middlehost IPs on Pakistani ISP paths.
Can Middlehost move my site to an IP that is never filtered?
There is no permanent guarantee, because policies and lists change. We can still review your case, confirm whether the symptom matches known path noise, and discuss practical options. Start with a ticket so support sees your exact host, port, and timing.
Does switching to Middlehost nameservers fix slow cPanel or flaky HTTPS?
Not by itself when the problem is general ISP path noise. Nameservers change how DNS is answered and whether visitor traffic goes through Cloudflare. Direct HTTPS to your site or cPanel still crosses the Pakistani ISP, so intermittent shaping there can remain. Use the verification steps and a ticket if you need help telling path issues from hosting issues.
Is this a worldwide Middlehost outage?
No. The pattern described here is tied to Pakistani ISP paths. If monitors or friends outside Pakistan reach your site normally while you see resets only on one local ISP, that is strong evidence the problem is on the access side, not a global platform failure.
What should I attach to the ticket?
Your ISP, the homepage or HTTPS URL if the public site failed, the full cPanel or other service URL, approximate local time when it fails, whether other devices on the same Wi-Fi see the same thing, and traceroute or MTR output to the server if you can run it. That shortens the back-and-forth.
Summary
| Item | Status |
|---|---|
| Server configuration | Not the issue |
| Website code | Not the issue |
| Cloudflare configuration | Not the issue |
| ISP-level DPI firewall | Root cause |
| Automated Cloudflare IP blocking | Common root cause (Cloudflare path) |
| Intermittent DPI or path shaping on Pakistani ISPs (any port, including 80, 443, or 2083) or to some hosting IPs | Possible root cause (Pakistan ISP ecosystem) |
| Switching to Middlehost nameservers | Recommended solution |
| Disabling HTTP/3 (QUIC) in Cloudflare | Alternative solution (may work) |
Additional Notes
For classic Cloudflare browser errors, the fault is usually not your hosting stack. Intermittent slowness or resets on web ports or admin tools from Pakistan can still be path-related, but it should be checked in support so we can confirm it is not a capacity or service issue on our side.
The problem occurs at the ISP level in Pakistan, specifically with how DPI firewalls are configured
This is a known issue affecting multiple websites using Cloudflare in Pakistan
The issue is ISP-specific - the same website works fine on different ISPs
Using Middlehost nameservers provides a reliable workaround that bypasses the blocked infrastructure
This article focuses on Pakistan ISP behaviour; the same symptoms from a single office abroad usually need a different checklist (local firewall, DNS, routing)
This situation may change as ISPs adjust their firewall configurations, but for now, using Middlehost nameservers remains the most reliable workaround when Cloudflare is in the path.
Background Information
According to reports, Pakistan has deployed a national internet firewall system (similar to China's Great Firewall) that uses Deep Packet Inspection (DPI) technology to monitor and filter internet traffic. This automated system is designed to block unregistered VPNs, but because Cloudflare's WARP VPN service shares IP ranges with their legitimate hosting/CDN infrastructure, some Cloudflare IPs may be mistakenly blocked by the automated filtering system.
For more information about Pakistan's internet firewall system, you can refer to: Al Jazeera's report on Pakistan's digital firewall