{"id":388,"date":"2026-07-15T17:48:45","date_gmt":"2026-07-15T14:48:45","guid":{"rendered":"https:\/\/mexela.com\/blog\/proxy-troubleshooting-guide"},"modified":"2026-07-16T00:49:46","modified_gmt":"2026-07-15T21:49:46","slug":"proxy-troubleshooting-guide","status":"publish","type":"post","link":"https:\/\/mexela.com\/blog\/proxy-troubleshooting-guide\/","title":{"rendered":"Proxy Not Working? A Step-by-Step Troubleshooting Guide"},"content":{"rendered":"<p>When the problem is simply reported as proxy not working, structured proxy troubleshooting separates a proxy connection error, proxy authentication failed response, proxy DNS error, and proxy timeout before you test proxy settings again.<\/p>\n<p class=\"mexela-answer\">When a proxy is not working, test one layer at a time: confirm the host, port, and protocol; resolve DNS; test TCP reachability; verify the proxy handshake and authentication; make one HTTPS request; then compare the failing destination and application. Record the exact error and avoid changing credentials, protocol, and endpoint simultaneously.<\/p>\n<p>Proxy failed is not a useful diagnosis. A timeout, connection refusal, HTTP 407, TLS certificate error, destination 403, and empty parsed result come from different layers. The fastest fix comes from preserving the original signal and reducing variables.<\/p>\n<h2>Step 1: confirm the configuration you were given<\/h2>\n<p>Compare the application settings with the provider&#8217;s current allocation. Check every character in the host, numeric port, protocol, username, and plan or session suffix. Confirm whether authentication uses credentials or source-IP approval. If the public client IP changed, an old allowlist can reject a correct endpoint.<\/p>\n<p>Make sure the client field expects the same format you entered. Some applications want separate host, port, username, and password fields. Others accept a URL. Reserved password characters may need encoding in a URL but not in a dedicated password field. Review <a href=\"\/blog\/proxy-authentication-methods\/\">authentication methods<\/a> before rotating a credential that may be valid.<\/p>\n<h2>Step 2: test DNS and TCP reachability<\/h2>\n<p>If the proxy uses a hostname, resolve it from the failing machine. A DNS error happens before authentication. Then test whether the TCP port is reachable. A timeout can indicate a firewall, route, provider outage, or silent filtering. A refusal means a host responded but no service accepted that port, or a firewall rejected it explicitly.<\/p>\n<p>Compare from another approved network only if the service terms permit it. If one network reaches the endpoint and another does not, inspect local firewall, corporate policy, ISP routing, VPN, and source-IP restrictions. Do not assume the provider is down because one client cannot reach it.<\/p>\n<h2>Step 3: verify protocol and handshake<\/h2>\n<p>An HTTP client starts differently from a SOCKS5 client. Pointing an HTTP request at a SOCKS port can produce immediate disconnects, invalid response messages, or apparent authentication failures. Confirm the endpoint mapping and select the exact scheme. Read <a href=\"\/blog\/http-vs-socks5-proxies\/\">HTTP versus SOCKS5<\/a> if the application labels are unclear.<\/p>\n<p>Test with a known client such as curl before debugging a complex application. For an HTTP proxy, request headers from a simple HTTPS site through the endpoint. For SOCKS5 with remote DNS, use the client&#8217;s hostname-resolution mode. Keep passwords out of command history.<\/p>\n<h2>Step 4: interpret authentication errors<\/h2>\n<figure class=\"wp-block-table\">\n<table>\n<thead>\n<tr>\n<th>Signal<\/th>\n<th>Likely layer<\/th>\n<th>Useful next action<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>HTTP 407<\/td>\n<td>Proxy authentication<\/td>\n<td>Verify method, username, password, and encoding<\/td>\n<\/tr>\n<tr>\n<td>SOCKS authentication rejected<\/td>\n<td>SOCKS handshake<\/td>\n<td>Confirm SOCKS version and assigned credentials<\/td>\n<\/tr>\n<tr>\n<td>HTTP 401<\/td>\n<td>Destination authentication<\/td>\n<td>Check destination account or token, not proxy password<\/td>\n<\/tr>\n<tr>\n<td>Immediate timeout<\/td>\n<td>Network or firewall<\/td>\n<td>Test DNS and TCP before credentials<\/td>\n<\/tr>\n<tr>\n<td>Works only from one network<\/td>\n<td>Allowlist or route<\/td>\n<td>Compare public source IP and firewall policy<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>Clear old cached credentials after changing them. Browsers and system services may retain a rejected password. Test in a fresh browser profile or a command-line client with explicit settings. If IP whitelisting is used, confirm the public egress seen by the provider rather than a private device address.<\/p>\n<h2>Step 5: test one neutral HTTPS destination<\/h2>\n<p>Use a simple, trusted destination that permits the request. A successful HTTPS response proves more than an IP-echo page alone because it exercises CONNECT or SOCKS, TLS, certificate validation, and HTTP. Then test a trusted IP-echo service to confirm the expected egress address.<\/p>\n<p>Do not disable certificate validation as a routine fix. A certificate name, chain, or interception problem deserves investigation. Check system time, certificate store, destination hostname, and whether a corporate inspection proxy is involved. The proxy route should not require accepting an unrelated certificate for the destination.<\/p>\n<h2>Step 6: separate proxy health from destination policy<\/h2>\n<p>If the neutral destination works but one website returns 403, 429, a challenge, or a policy page, the proxy connection itself is functioning. The destination may restrict the network, request pattern, account, location, or automation. Respect the response and review rules. Changing addresses to evade the signal is not troubleshooting.<\/p>\n<p>Compare a direct connection only when policy and test design permit it. Record status, response headers, body category, timestamp, endpoint, and request rate. A provider can investigate more effectively with concrete evidence than with a statement that the proxy does not work.<\/p>\n<h2>Step 7: check DNS behavior<\/h2>\n<p>The application may resolve destination names locally or ask the proxy to resolve them. Local DNS can return a region-specific address or fail behind a restricted resolver. SOCKS5 hostname mode and HTTP hostnames can support remote resolution when implemented. Verify with a controlled test rather than assuming the setting.<\/p>\n<p>DNS issues often appear destination-specific because cached records, IPv6 preference, split DNS, or stale resolvers affect only some names. Clear caches cautiously, compare authoritative results, and avoid hard-coding an IP for HTTPS because certificates and virtual hosting depend on the hostname.<\/p>\n<h2>Step 8: inspect application-specific behavior<\/h2>\n<p>A browser may use operating-system settings while a script uses environment variables and a service ignores both. Some clients proxy HTTP but connect directly for DNS, WebRTC, QUIC, or plugins. Confirm the application&#8217;s documentation and observe actual connections when route coverage matters. The <a href=\"\/blog\/how-to-configure-a-proxy\/\">cross-platform setup guide<\/a> explains configuration scope.<\/p>\n<p>Reduce the failing application to a minimal request. Disable unrelated plugins, retries, parallelism, and custom parsers. If curl works with the same endpoint but the application fails, compare protocol support, certificate store, credential encoding, environment, and timeout settings.<\/p>\n<h2>Step 9: diagnose latency and intermittent failures<\/h2>\n<p>Measure DNS time, connect time, TLS time, time to first byte, and total duration. Compare several requests and report percentiles, not only averages. Intermittent errors can come from endpoint load, route changes, destination throttling, connection reuse, stale DNS, or application concurrency.<\/p>\n<p>Use bounded retries with exponential backoff. Retry only transient operations and preserve idempotency. A failed purchase, form submission, or state-changing API call should not be repeated blindly. For rotating pools, log the session and observed egress so one unhealthy member can be isolated.<\/p>\n<h2>Step 10: prepare useful provider evidence<\/h2>\n<ul>\n<li>Endpoint hostname or masked IP and port, without posting credentials publicly.<\/li>\n<li>Protocol and authentication method.<\/li>\n<li>UTC timestamp and client public IP where appropriate.<\/li>\n<li>Exact error message, status code, and relevant sanitized headers.<\/li>\n<li>Whether a neutral HTTPS destination works.<\/li>\n<li>Whether the problem occurs from another approved network.<\/li>\n<li>Minimal reproducible client command with secrets removed.<\/li>\n<\/ul>\n<p>Mexela provides support for its listed <a href=\"https:\/\/mexela.com\/cart.php?gid=3\">private proxy plans<\/a>. Supplying layered results helps support distinguish an endpoint problem from client configuration or destination policy without exposing the password.<\/p>\n<h2>Quick decision tree<\/h2>\n<ol>\n<li><strong>Cannot resolve proxy host:<\/strong> fix client DNS or use the correct host.<\/li>\n<li><strong>Cannot open proxy port:<\/strong> inspect firewall, route, port, and provider health.<\/li>\n<li><strong>Handshake fails:<\/strong> match HTTP or SOCKS protocol.<\/li>\n<li><strong>Authentication fails:<\/strong> verify credential or public allowlist source.<\/li>\n<li><strong>Neutral HTTPS fails:<\/strong> inspect TLS and proxy service.<\/li>\n<li><strong>Only one destination fails:<\/strong> review destination response and policy.<\/li>\n<li><strong>Only one application fails:<\/strong> compare its proxy scope and implementation.<\/li>\n<li><strong>Intermittent failure:<\/strong> measure timing, load, retries, and endpoint identity.<\/li>\n<\/ol>\n<h2>Summary<\/h2>\n<p>Diagnose proxies from the bottom up. Correct configuration comes first, followed by DNS, TCP, protocol, authentication, TLS, HTTP, destination policy, and application behavior. One controlled test at each layer produces a useful answer faster than changing several settings or rotating endpoints at random.<\/p>\n<h2>Frequently asked questions<\/h2>\n<div class=\"mexela-faq\">\n<h3>Why does my proxy time out?<\/h3>\n<p>A timeout usually points to DNS, routing, firewall, an unreachable host or port, silent filtering, or severe congestion before credentials are evaluated.<\/p>\n<h3>What is a 407 proxy error?<\/h3>\n<p>It means the proxy requires authentication or did not accept the credentials or method sent by the client.<\/p>\n<h3>Why does the proxy work on one site but not another?<\/h3>\n<p>The destination may apply different policies, locations, rate limits, TLS behavior, or account controls even though the proxy connection is healthy.<\/p>\n<h3>Why does curl work while my application fails?<\/h3>\n<p>The application may use another protocol, ignore the system setting, encode credentials differently, use another certificate store, or apply shorter timeouts.<\/p>\n<h3>Should I disable TLS certificate verification?<\/h3>\n<p>No. Investigate time, hostname, certificate chain, trust store, and inspection behavior instead of hiding a security failure.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Diagnose proxy failures layer by layer: configuration, DNS, TCP, protocol, authentication, TLS, destination response, and application behavior.<\/p>\n","protected":false},"author":1,"featured_media":387,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[50],"tags":[109,108,110,106,111,107,112],"_links":{"self":[{"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/posts\/388"}],"collection":[{"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/comments?post=388"}],"version-history":[{"count":2,"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/posts\/388\/revisions"}],"predecessor-version":[{"id":408,"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/posts\/388\/revisions\/408"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/media\/387"}],"wp:attachment":[{"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/media?parent=388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/categories?post=388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mexela.com\/blog\/wp-json\/wp\/v2\/tags?post=388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}