How-To: Troubleshooting Scanner Connection Issues

Last updated: June 5, 2026

Introduction

If your scanner is failing to connect to its target or scans are getting canceled, it is typically due to environment-level restrictions such as firewalls, inadequate resource allocation, or improperly configured scope URLs. Following these steps will help you identify and resolve the most common connectivity problems.

Prerequisites

  • Access to your application's firewall, WAF, or security system settings to add IP allowlist entries.

  • Admin-level access to any third-party security tools in use (Cloudflare, Vercel, Auth0, etc.).

  • Access to your Astra dashboard to use the Test Connectivity feature.

Instructions

Step 1: Whitelist Astra's Static IP Ranges

The most frequent cause of connection failure is a firewall, Web Application Firewall (WAF), or security system blocking the scanner's requests. Add all of Astra's official static IP addresses to your allow-list in your application firewall, login system, and MFA tools.

For the full and most up-to-date list, refer to Astra IP Ranges.

Step 2: Validate Scope and Application Health

Ensure the target application is stable and the URLs configured in your scope are correct.

  • Verify Scope URLs: Confirm that the configured URLs do not return errors such as 403 Forbidden, 404 Not Found, or 5xx Server Errors.

  • Check Resource Allocation: Ensure the web asset has sufficient CPU and RAM to handle automated scanning traffic without overloading or becoming unstable.

  • Avoid Default Pages: Ensure the asset is not displaying default server pages (e.g., Nginx or Apache landing pages), as these can interfere with the crawler's ability to map the site.

  • Check Restricted Access: Verify that your web asset does not have restrictions that block automated scanning and that your configurations comply with the recommended access setup. Refer to How to Scan Applications with Restricted Access.

Step 3: Handle Third Party Security Providers

Popular hosting and security platforms have specific features that may block automated traffic.

  • Cloudflare: If the web asset is protected by Cloudflare, allowlist Astra IP ranges to ensure features like Super Bot Fight Mode do not block scanner requests.

  • Vercel: If your site is hosted on Vercel, set up System Bypass Rules using Astra's IP ranges to prevent the Vercel firewall from blocking requests.

  • CAPTCHA / Auth0: For applications protected by Google reCAPTCHA or Auth0 Bot Detection, exempt Astra's scanner IPs from these challenges to ensure the scanner can access all parts of the application.

Step 4: Verify the Connection in the Dashboard

Test the connection manually before starting a full scan.

  • Test Connectivity Tool: Use the "Test Connectivity" feature found in the Scope section of your target's settings page.

  • Run a Test Scan: Initiate a high-level scan on the asset to confirm the scanner can reach it successfully.

Expected Outcome

Once these steps are completed, the "Connectivity Check" stage of your scan should mark as successful with a checkmark. The scanner will then be able to proceed to the crawling and vulnerability assessment phases without interruption.

Related Tasks

  • Login Issues: If the connection is successful but authentication fails, refer to the guide on Fixing Scan Behind Login errors.

  • Support: If the scanner remains stuck despite whitelisting, raise a support ticket via the dashboard widget or email help@getastra.com with your audit ID and screenshots of the error.