ProxioDocs
Troubleshooting & FAQ

Error & Response Code Reference

What every error means and how to fix it, covering Error 407 Proxy Authentication Required, 502/503/504 gateway failures, connection timeouts, plus target-site 403, 429 and CAPTCHA responses.

The first question with any proxy error is which side it came from. Errors from the Proxio gateway are about your connection to Proxio. Everything else you see (403, 429, CAPTCHAs) is the destination site's response, delivered back to you through the tunnel. Use the two tables below to tell them apart and act.

Errors from the Proxio gateway

These are the codes the gateway itself emits (over HTTP; for SOCKS5 see the note below the table). Gateway error responses carry a Proxy-Agent: proxio-pop header, which is a quick way to confirm the answer came from Proxio and not the target.

CodeWhat it meansHow to fix
407 Proxy Authentication RequiredThe gateway rejected or never received your credentials: wrong username/password, an unparseable username, or a passwordless connection from an IP that has no IP-auth binding.Re-copy your username and password (no whitespace). Using IP-allowlist auth? Confirm your current public IP is still whitelisted on that credential. Confirm the credential was not deleted or rotated. See Connection & Authentication.
402 Quota Exceeded / Package ExpiredYour package's data quota is used up, or the package itself has expired.Check remaining quota in Usage Statistics, then top up and buy more GB, renew the package, or raise the credential's own quota cap if you set one.
403 Source IP Not AllowedThe credential has a source-IP allowlist and your current IP is not on it.Add your IP to the credential's allowed list, or connect from an allowed IP. Note your public IP may have changed since you set the list.
403 Destination Not Allowed / ForbiddenThe destination is blocked: by a blocklist rule on your own credential (these responses carry an X-Proxio-Blocked: customer-rule header), or by platform-level restrictions.If it is your own rule, edit the credential's Blocked destinations tab. Otherwise the target is restricted; see Acceptable Use.
429 Too Many ConnectionsYou hit the per-credential concurrency cap (2,000 parallel connections).Lower your client's concurrency, or spread the job across multiple credentials: each one gets its own 2,000-connection budget.
502 Upstream Connect Failed / Upstream UnavailableThe gateway could not establish the outbound connection for this request.Connection-level failure. On smart rotation these retry automatically; otherwise just resend, since a different exit usually succeeds. See the note below.
503 Auth Backend UnreachableThe gateway could not verify credentials against the platform right now.Temporary. Wait a few seconds and retry; if it persists for minutes, open a ticket.
Connection refused / timed out to geo.proxio.cc:16666Your client never reached the gateway.Your network or firewall is blocking outbound port 16666 (common on corporate and campus networks). Retest on another network with the verbose self-test on the Start Here page. If it fails everywhere, open a ticket. Also note the gateway drops clients that take longer than 10 seconds to complete the proxy handshake.

Two quirks worth knowing

The gateway's 407 does not include a Proxy-Authenticate challenge header, so always send credentials proactively in the proxy URL instead of waiting to be challenged (every example in these docs already does this). And over SOCKS5, most of the failures above collapse into a single generic reply (connection refused, code 0x05): if you need to tell quota from auth from blocking apart, test the same request over HTTP first.

What smart retry does

On smart rotation, Proxio automatically retries connection-level failures (TCP dial errors, CONNECT timeouts, and 502/503/504) up to 5 attempts, taking a fresh IP on each attempt when retryrotate is on (the default). Retried attempts transfer no data and never count against your quota. Content errors like 403 are never retried. On auto or sticky rotation without retry, just resend the request yourself.

Errors from the target website (NOT the proxy)

Proxio is an L4 passthrough that never terminates or inspects your TLS traffic. Any status code that comes back through the tunnel is the destination's response. Treat these as the site's anti-bot behavior and rotate.

CodeWhat it meansHow to fix
403 ForbiddenThe destination refused this exit IP: an IP-level ban or geo-block. Not a Proxio error, and not retried by smart retry.Rotate to a fresh IP: start a new sessid, or switch the credential to auto mode for a new IP per request. Narrow your geo to the region the site expects.
429 Too Many RequestsThe target is rate-limiting you.Slow down and add backoff. Spread requests across several sticky sessions or IPs instead of hammering one.
CAPTCHA / challenge pageThe site is challenging the request (bot detection), often returned with a 200 or a 403.Rotate the IP, narrow your geo targeting, and send browser-like headers such as User-Agent and Accept-Language. Consider SOCKS5 (socks5h://).

If the status code arrived through the tunnel from the destination, it is the site's response, not Proxio's. A 5xx from the target's own CDN is a target-side error. Approach it the same way as the rows above: rotate and retry against the site, not against the gateway.

On this page