The Cloudflare plugin overrides the builtin function qa_remote_ip_address() to check if the incoming request sent an additional header HTTP_CF_CONNECTING_IP with the real client IP address. Otherwise it falls back to the builtin function which returns either the client address the server sees (REMOTE_ADDR) or null.
Check an incoming request (i.e. check the content of the PHP variable $_SERVER for that request) to see if that header HTTP_CF_CONNECTING_IP was set to 0.0.0.0 or is missing entirely, and also what value REMOTE_ADDR has. Maybe add some logging that logs the values $_SERVER['REMOTE_ADDR'] and $_SERVER['HTTP_CF_CONNECTING_IP'] with a timestamp for each request.
Either way, I'd suspect that the problem is not with Q2A but with Cloudflare (do you need to configure something on the Cloudflare side for them to send the header with the real client IP?), or with something manipulating traffic between the Cloudflare proxy and your Q2A server.
Not much else I can tell you without more information.