Applies to

• Users experiencing connection errors:

  • Chrome:ERR_QUIC_PROTOCOL
  • Firefox:PR_CONNECT_RESET_ERROR
  • General:Connection was reset, Secure Connection Failed, ERR_CONNECTION_RESET
• Users located in Pakistan
• Domains using Cloudflare nameservers
• Users on specific ISPs, particularly PTCL
• Site works fine on other ISPs in Pakistan

Overview

Some clients in Pakistan are experiencing connection errors when accessing websites that use Cloudflare. These errors include ERR_QUIC_PROTOCOL, PR_CONNECT_RESET_ERROR, Connection was reset, Secure Connection Failed, and ERR_CONNECTION_RESET.

After thorough investigation, we've determined that this issue is primarily affecting users on specific ISPs in Pakistan (most commonly PTCL) and occurs specifically when websites are using Cloudflare nameservers.

Why this happens

The root cause of these connection errors is related to Pakistan's Deep Packet Inspection (DPI) firewall system deployed by ISPs. This automated system monitors and filters internet traffic.

Technical Explanation

1. DPI Firewall Deployment: Pakistan has deployed a national internet firewall system (similar to China's Great Firewall) that monitors and filters internet traffic at the ISP level.

2. VPN Blocking: The firewall is configured to block unregistered VPNs. Cloudflare's WARP VPN service shares the same IP address ranges as Cloudflare's hosting/CDN infrastructure.

3. IP Blocking: The automated firewall system may mistakenly block Cloudflare IPs because it cannot distinguish between Cloudflare's VPN service (WARP) and their legitimate hosting/CDN services.

4. Connection Reset: When requests reach Cloudflare's IPs but the response is blocked by the firewall, users experience connection resets and various browser error messages.

Important: This is an ISP-level issue, not a problem with your hosting server or website configuration. The request successfully reaches Cloudflare's infrastructure, but the response is blocked before it reaches the user.

ISP-Specific Issue

This problem is ISP-specific in Pakistan:

• Most commonly reported: PTCL (Pakistan Telecommunication Company Limited)
• Other ISPs: May also be affected depending on their firewall configuration
• Testing confirms: The same website works fine when accessed from different ISPs in Pakistan

This confirms that the issue is related to how individual ISPs have configured their DPI firewall systems, rather than a nationwide block.

Solutions

Solution 1: Use Middlehost Nameservers (Recommended)

The most reliable solution is to switch from Cloudflare nameservers to Middlehost nameservers. This completely bypasses the Cloudflare infrastructure that's being blocked by the firewall.

Steps to Change Nameservers:

1. Log in to your domain registrar's control panel

2. Navigate to DNS management or nameserver settings

3. Change your nameservers to:

   • ns1.middlehost.com
   • ns2.middlehost.com
   • ns3.middlehost.com
   • ns4.middlehost.com

4. Save the changes

5. Wait for DNS propagation (usually 24-48 hours, but can be faster)

Note: After changing nameservers, you'll need to configure your DNS records (A, AAAA, CNAME, MX, etc.) in your Middlehost cPanel or hosting control panel.

Why this works: By using Middlehost nameservers, your domain's DNS queries and website traffic no longer route through Cloudflare's infrastructure, avoiding the blocked IP ranges entirely.

Solution 2: Disable HTTP/3 (QUIC) in Cloudflare

If you prefer to keep using Cloudflare, you can try disabling HTTP/3 (which uses QUIC protocol) in your Cloudflare settings. This has resolved the issue in some cases.

Steps to Disable HTTP/3 (QUIC):

1. Log in to your Cloudflare Dashboard

2. Select your account and zone (domain)

3. Go to Speed in the left sidebar

4. Click on Settings

5. Go to Protocol Optimization

6. For HTTP/3, switch the toggle to Off

Note: This solution may not work for all cases, as the firewall may still block Cloudflare IPs regardless of the protocol used. If disabling HTTP/3 doesn't resolve the issue, we recommend switching to Middlehost nameservers.

How to Verify the Issue

If you're experiencing connection errors, verify that this is the issue by:

1. Check your ISP: Confirm you're using PTCL or another affected ISP

2. Check nameservers: Verify your domain is using Cloudflare nameservers

   • Use a DNS lookup tool (like nslookup or online tools)
   • Check if your nameservers contain "cloudflare" in the domain name

3. Test from different network: Try accessing the site from a different ISP or mobile data connection

4. Check error message: Confirm you're seeing one of the errors mentioned above

When to Contact Support

Contact Middlehost support if:

• You've changed nameservers but are still experiencing issues after 48 hours
• You need help configuring DNS records after switching nameservers
• You're unsure which solution is best for your situation
• You're experiencing different errors not mentioned here

When contacting support, please provide:

• Your domain name
• Current nameservers
• Your ISP name
• Screenshot of the error message
• Results of testing from different networks (if available)

Summary

Additional Notes

• This issue is not related to your hosting server or website configuration

• The problem occurs at the ISP level in Pakistan, specifically with how DPI firewalls are configured

• This is a known issue affecting multiple websites using Cloudflare in Pakistan

• The issue is ISP-specific - the same website works fine on different ISPs

• Using Middlehost nameservers provides a reliable workaround that bypasses the blocked infrastructure

• This situation may change as ISPs adjust their firewall configurations, but for now, using Middlehost nameservers is the most reliable solution

Background Information

According to reports, Pakistan has deployed a national internet firewall system (similar to China's Great Firewall) that uses Deep Packet Inspection (DPI) technology to monitor and filter internet traffic. This automated system is designed to block unregistered VPNs, but because Cloudflare's WARP VPN service shares IP ranges with their legitimate hosting/CDN infrastructure, some Cloudflare IPs may be mistakenly blocked by the automated filtering system.

For more information about Pakistan's internet firewall system, you can refer to: Al Jazeera's report on Pakistan's digital firewall