Remote MCP Connection Failed: Diagnosing Network, TLS, and Proxies

Can't connect to a remote MCP server? This diagnostic guide helps you troubleshoot network issues, DNS problems, corporate proxy configuration, TLS inspection, and firewall rules. Follow the checklist to identify and fix connection failures.

Diagnostic Checklist

Work through this checklist systematically to identify the issue:

Connection Diagnostic Steps

1. Test endpoint reachability: Can you reach the server URL? (See below)
2. Check DNS resolution: Does the domain name resolve correctly?
3. Verify firewall rules: Are outbound connections allowed?
4. Test proxy configuration: Is a corporate proxy blocking the connection?
5. Check TLS/SSL: Are certificates valid and trusted?
6. Verify API key: Is authentication working? (See 401 Unauthorized)

Step 1: Test Endpoint Reachability

First, verify you can reach the MCP server endpoint:

Test with curl

Use curl to test basic connectivity:

Basic Connection Test

curl -v https://app.corcava.com/mcp

This should return a response (even if it's an authentication error). If you get a connection error, the endpoint is unreachable.

With Authentication

curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://app.corcava.com/mcp

This tests both connectivity and authentication. A 401 error means connection works but auth failed. A connection error means network issues.

Expected Responses

• 200 OK: Connection successful, server is reachable
• 401 Unauthorized: Connection works, but authentication failed (see 401 guide)
• Connection refused: Server is down or firewall is blocking
• DNS resolution failed: Domain name cannot be resolved
• Timeout: Connection attempt timed out (firewall or network issue)

Step 2: Check DNS Resolution

If the domain name doesn't resolve, you'll get DNS errors:

Test DNS Resolution

macOS/Linux

nslookup app.corcava.com
# or
dig app.corcava.com

Windows

nslookup app.corcava.com

DNS Issues and Fixes

Common DNS Problems

• DNS server unreachable: Check your network connection and DNS server settings
• Corporate DNS blocking: Domain may be blocked by corporate DNS filters
• Wrong DNS server: Verify you're using the correct DNS servers (8.8.8.8, 1.1.1.1 for testing)
• DNS cache issues: Flush DNS cache: sudo dscacheutil -flushcache (macOS) or ipconfig /flushdns (Windows)

Step 3: Corporate Proxy Configuration

Corporate networks often use proxies that can block or interfere with MCP connections:

Detect Proxy Issues

Signs of proxy issues:

• Connection works from home but not from office
• Error messages mention "proxy" or "gateway"
• 407 Proxy Authentication Required errors
• Connection timeouts on corporate network

Configure Proxy for MCP

If your network requires a proxy, you may need to configure it. However, most MCP clients don't support proxy configuration directly. Options:

Option 1: System Proxy

Configure your system proxy settings. MCP clients may inherit these settings automatically.

Option 2: VPN

Use a VPN to bypass corporate proxy restrictions (if allowed by company policy).

Option 3: Contact IT

Ask your IT department to whitelist app.corcava.com or allow outbound HTTPS connections to MCP endpoints.

Step 4: TLS/SSL Certificate Issues

TLS inspection and certificate problems can prevent secure connections:

Test TLS Connection

openssl s_client -connect app.corcava.com:443 -servername app.corcava.com

This shows certificate details and any TLS errors.

TLS Inspection Issues

Corporate TLS Inspection

Some corporate networks use TLS inspection (SSL interception) that can break MCP connections:

• Symptom: Certificate validation errors, "untrusted certificate" warnings
• Cause: Corporate firewall is intercepting and re-signing TLS connections
• Fix: Install corporate root certificate, or use VPN to bypass inspection

Certificate Validation Errors

Common Certificate Errors

• Certificate expired: Server certificate has expired (rare, but check)
• Certificate not trusted: Root CA not in system trust store
• Hostname mismatch: Certificate doesn't match the domain name
• Self-signed certificate: Certificate not signed by trusted CA

Step 5: Firewall Rules

Firewalls can block outbound connections to MCP servers:

Test Firewall Rules

Test Outbound HTTPS

telnet app.corcava.com 443
# or
nc -zv app.corcava.com 443

If this fails, port 443 (HTTPS) may be blocked by firewall.

Firewall Configuration

Required firewall rules:

• Outbound HTTPS (port 443): Allow connections to app.corcava.com:443
• DNS (port 53): Allow DNS queries for domain resolution
• No inbound rules needed: MCP uses outbound connections only

Example Error Messages

Common error messages and what they mean:

"Connection refused"

• Meaning: Server is not accepting connections
• Possible causes:
  • Server is down
  • Firewall is blocking the connection
  • Wrong port number
• Fix: Check server status, verify firewall rules, confirm endpoint URL

"DNS resolution failed"

• Meaning: Domain name cannot be resolved to an IP address
• Possible causes:
  • DNS server unreachable
  • Domain name misspelled
  • Corporate DNS blocking
• Fix: Test DNS resolution, check domain spelling, try different DNS server

"Connection timeout"

• Meaning: Connection attempt timed out
• Possible causes:
  • Firewall blocking connection
  • Network congestion
  • Proxy server issues
• Fix: Check firewall rules, test from different network, verify proxy settings

"SSL certificate verification failed"

• Meaning: TLS/SSL certificate cannot be verified
• Possible causes:
  • Corporate TLS inspection
  • Expired certificate
  • Untrusted root CA
• Fix: Install corporate root certificate, verify certificate validity, check system date/time

"407 Proxy Authentication Required"

• Meaning: Corporate proxy requires authentication
• Possible causes:
  • Proxy requires credentials
  • MCP client doesn't support proxy auth
• Fix: Configure proxy authentication, use VPN, or contact IT for whitelisting

Quick Diagnostic Commands

Run These Tests

1. Test connectivity: curl -v https://app.corcava.com/mcp
2. Test DNS: nslookup app.corcava.com
3. Test port: telnet app.corcava.com 443 or nc -zv app.corcava.com 443
4. Test TLS: openssl s_client -connect app.corcava.com:443
5. Test with auth: curl -H "Authorization: Bearer YOUR_API_KEY" https://app.corcava.com/mcp

Still Having Issues?

If you've tried all diagnostic steps and still can't connect:

• Test from a different network (home vs office) to isolate network issues
• Check if other HTTPS sites work (to rule out general network problems)
• Try a different MCP client to see if the issue is client-specific
• Review 401 Unauthorized if you get auth errors
• Contact support with specific error messages and diagnostic output

Related Troubleshooting

• 401 Unauthorized - Fix authentication issues after connection succeeds
• Server Not Showing - Fix issues when MCP server doesn't appear
• Config JSON Errors - Fix invalid JSON syntax issues
• Troubleshooting Index - Browse all troubleshooting guides