Contributor
•
27 Messages
Cloudflare Anycast IPs being blocked by comcast ASBR
I've already attempted to report this issue via Assistant/chat and over a voice call but apparently gaining zero traction or not getting to the correct level of support . During the voice call to support the representative said give it 4 to 6 hours and it should be resolved. I didn't have much hope in the statement considering the first thing the person did was restart my modem...
First of all this is not a home network issue, it's at least 8 hops away from my home network. Using a VPN from my home network is not blocked. Also proved that using VZW home internet is not blocked. Obviously true since the traffic is taking same route to to the site. Also forced a home IP change to prove out it's not just my IP - CF dashboards would reveal that if that was the case anyway.
Issue: I have a site hosted in another cloud provider and use Cloudflare services to front it. Cloudflare places Anycast IPs in front of sites for protection and to improve performance. In my mind these are essentially like a reverse proxy where there are several 100s, 1000s? sites behind the pair of IPs. These IPs were working prior to 19-March - ever sense then reaching a site behind them just times out.
I have not received any statement that these are blocked by reputation, I have checked with SPA and they reported no blocks. These are Cloudflare Anycast IPs and are used by many CF customers, not a dedicated resource. Plus there is now way to force a site to use a different set of IPs w/o an enterprise plan.
Based upon tracing it's quite clear that there is a border router that is causing the issue in Roseville MN - identified by asbrXX. Perhaps only impacts twin cities comcast subscribers? TBD as I don't have a means to test from a different comcast household.
Suspicion that both 172.67.165.172 and 104.21.11.83 are being blocked / null-routed and must be a /32 block rule as other anycast IPs in the same CIDR range are open.
https://www.cloudflare.com/ips/ as you can see these IP ranges are quite large - I have scanned 10 to 20 surrounding the non working ones and confirmed surrounding IPs work (see below).
172.64.0.0/13 --> 172.64.0.1 - 172.71.255.254
104.16.0.0/13 --> 104.16.0.1 - 104.23.255.254
Running mtr -w -c 10 -i 1 -4 172.67.165.172:
Start: 2026-03-26T18:02:21-0500
HOST: router Loss% Snt Last Avg Best Wrst StDev
1.|-- 10.27.32.2 0.0% 10 8.0 9.2 8.0 10.8 0.8
2.|-- po-309-351-rur201.maplegrove.mn.minn.comcast.net 0.0% 10 9.9 10.9 8.7 16.0 2.3
3.|-- bundle-2019-tcr04.maplegrove.mn.minn.comcast.net 0.0% 10 11.8 12.2 9.8 15.0 1.8
4.|-- 68.85.201.121 0.0% 10 9.4 11.0 9.4 12.6 1.1
5.|-- bundle-3061-ccr201.roseville.mn.minn.comcast.net 0.0% 10 11.3 11.4 9.4 13.0 1.1
6.|-- bundle-2100-tcr01.roseville.mn.minn.comcast.net 0.0% 10 8.9 11.4 8.9 15.2 1.9
7.|-- bundle-2068-asbr02.roseville.mn.minn.comcast.net 0.0% 10 11.6 10.3 9.1 11.7 1.0
8.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
small range test, only .172 fails
for i in {165..180}; do
if ! ping -q -c 1 -W 1 172.67.165.$i > /dev/null; then
echo -e "\nFAILED: 172.67.165.$i"
ping -q -c 1 172.67.165.$i
fi
done
FAILED: 172.67.165.172
PING 172.67.165.172 (172.67.165.172) 56(84) bytes of data.
--- 172.67.165.172 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Running mtr -w -c 10 -i 1 -4 104.21.11.83:
Start: 2026-03-26T18:04:04-0500
HOST: router Loss% Snt Last Avg Best Wrst StDev
1.|-- 10.27.32.3 0.0% 10 10.5 12.8 9.7 17.3 2.7
2.|-- po-309-352-rur202.maplegrove.mn.minn.comcast.net 0.0% 10 12.2 12.2 10.1 19.5 2.8
3.|-- bundle-2022-tcr03.maplegrove.mn.minn.comcast.net 0.0% 10 14.0 13.6 11.4 17.8 2.0
4.|-- 68.85.201.117 0.0% 10 13.5 14.4 11.8 21.0 3.1
5.|-- bundle-3061-ccr201.roseville.mn.minn.comcast.net 0.0% 10 11.0 13.8 10.9 22.4 3.9
6.|-- bundle-2102-tcr03.roseville.mn.minn.comcast.net 0.0% 10 10.8 12.3 10.8 14.8 1.4
7.|-- bundle-2066-asbr01.roseville.mn.minn.comcast.net 0.0% 10 10.9 12.7 9.9 15.9 2.0
8.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
small range test, only .83 fails
for i in {75..85}; do
if ! ping -q -c 1 -W 1 104.21.11.$i > /dev/null; then
echo -e "\nFAILED: 104.21.11.$i"
ping -q -c 1 104.21.11.$i
fi
done
FAILED: 104.21.11.83
PING 104.21.11.83 (104.21.11.83) 56(84) bytes of data.
--- 104.21.11.83 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Example of a site with working CF anycast IPs in the same Anycast IP CIDR
Running mtr -w -c 10 -i 1 -4 172.67.133.25:
Start: 2026-03-26T18:05:39-0500
HOST: router Loss% Snt Last Avg Best Wrst StDev
1.|-- 10.27.32.3 0.0% 10 9.5 9.9 8.1 14.4 1.9
2.|-- po-309-352-rur202.maplegrove.mn.minn.comcast.net 0.0% 10 12.3 12.7 8.6 20.9 4.2
3.|-- bundle-2021-tcr02.maplegrove.mn.minn.comcast.net 0.0% 10 9.5 11.8 9.5 18.1 2.6
4.|-- 68.85.201.113 0.0% 10 14.7 12.9 9.7 20.9 3.5
5.|-- bundle-3061-ccr201.roseville.mn.minn.comcast.net 0.0% 10 13.3 13.4 8.8 19.1 3.1
6.|-- bundle-2102-tcr03.roseville.mn.minn.comcast.net 0.0% 10 12.2 12.6 9.3 16.3 2.4
7.|-- bundle-2066-asbr01.roseville.mn.minn.comcast.net 0.0% 10 9.4 12.4 9.4 17.2 2.6
8.|-- be-1001-ar-sp01.roseville.mn.minn.comcast.net 0.0% 10 10.8 12.7 10.0 20.3 3.1
9.|-- be-2101-ar-ex01.roseville.mn.minn.comcast.net 0.0% 10 13.4 13.7 10.1 16.9 2.5
10.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
11.|-- 172.67.133.25 0.0% 10 12.0 13.5 9.7 18.7 3.1
Running mtr -w -c 10 -i 1 -4 104.21.16.168:
Start: 2026-03-26T18:06:48-0500
HOST: router Loss% Snt Last Avg Best Wrst StDev
1.|-- 10.27.32.3 0.0% 10 9.7 12.4 8.0 19.3 3.3
2.|-- po-309-352-rur202.maplegrove.mn.minn.comcast.net 0.0% 10 14.2 13.7 10.4 16.6 2.3
3.|-- bundle-2021-tcr02.maplegrove.mn.minn.comcast.net 0.0% 10 15.9 12.1 10.0 15.9 1.9
4.|-- 68.85.201.113 0.0% 10 14.5 14.0 10.9 16.9 2.1
5.|-- bundle-3061-ccr201.roseville.mn.minn.comcast.net 0.0% 10 10.9 15.1 10.9 27.1 5.2
6.|-- bundle-2103-tcr04.roseville.mn.minn.comcast.net 0.0% 10 14.6 14.4 10.7 18.4 2.7
7.|-- bundle-2079-asbr04.roseville.mn.minn.comcast.net 0.0% 10 10.8 15.8 10.8 19.0 2.8
8.|-- be-1004-ar-sp04.roseville.mn.minn.comcast.net 20.0% 10 12.9 13.0 9.9 15.9 1.9
9.|-- be-2401-ar-ex01.roseville.mn.minn.comcast.net 0.0% 10 17.0 16.8 12.8 22.7 3.0
10.|-- ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
11.|-- 104.21.16.168 0.0% 10 18.1 15.8 12.2 21.2 3.0
As you can see the last two tests successfully make it to their destination without timing out.
BruceW
Gold Problem Solver
•
27.2K Messages
5 days ago
Comcast/Xfinity appears to be blocking both of those IPs. Their Customer Security Assurance group may be able to help you with this. Contact info is at https://spa.xfinity.com/contact-us.
1
0
BruceW
Gold Problem Solver
•
27.2K Messages
4 days ago
Sorry to hear that. Sounds like another CSA FAIL.
Have you tried https://spa.xfinity.com/report?
1
0
BruceW
Gold Problem Solver
•
27.2K Messages
4 days ago
That's nuts. It hardly matters if "there is no xFi Advanced Security block" if their routers are blocking an IP address. CSA controls IP blocking, and CSA should fix this, or explain why they don't want to unblock those IPs.
0
XfinityAbby
Official Employee
•
756 Messages
4 days ago
Hello @lnxfrk thank you for reaching out on our community forum. Since you did already try what @BruceW suggested as well as trying tickets with CSA we would love to assist you further.
Please send us a direct message with your full name and service address so that we can assist you further. To do so, click on the chat icon located at the top right of this forum's page. Here are the detailed steps to direct message us:
1
0
EG
Expert
•
117.1K Messages
4 days ago
@lnxfrk @XfinityAbby
Please circle back here and post any possible solutions for the issue here in these open public forums so that all readers here may benefit from the exchange / info. This is in keeping with the spirit for which these public help forums were originally intended. Thank you.
0
lnxfrk
Contributor
•
27 Messages
4 hours ago
Just to keep the thread up to date. It was suggested for me to call CSA again to report the issue. The first person I contacted at CSA said that wasn't something they can normally help with but then redirected my call to a Tier 2 person for internet support. The person from internet support seemed to understand the problem and gathered some additional information from me such as what site I was being blocked from as well as the IP address currently assigned to my home. A ticket was logged and I was told to expect a call within 48 hours or so. It's currently past the 48 hours but that's fine. I have confirmed the site (or the two IPs) are still being blocked / null routed.
0
0