Monitoring AS2 usage - AWS Transfer Family

Monitoring AS2 usage

You can monitor AS2 activity using Amazon CloudWatch and AWS CloudTrail. To view other Transfer Family server metrics, see Amazon CloudWatch logging for AWS Transfer Family servers

AS2 metrics
Metric Description
InboundMessage

The total number of AS2 messages successfully received from a trading partner.

Units: Count

Period: 5 minutes

InboundFailedMessage

The total number of AS2 messages that were unsuccessfully received from a trading partner. That is, a trading partner sent a message, but the Transfer Family server was not able to successfully process it.

Units: Count

Period: 5 minutes

OutboundMessage

The total number of AS2 messages successfully sent from the Transfer Family server to a trading partner.

Units: Count

Period: 5 minute

OutboundFailedMessage

The total number of AS2 messages that were unsuccessfully sent to a trading partner. That is, they were sent from the Transfer Family server, but were not successfully received by the trading partner.

Units: Count

Period: 5 minutes

AS2 Status codes

The following table lists all of the status codes that can be logged to CloudWatch logs when you or your partner send an AS2 message. Different message processing steps apply to different message types and are intended for monitoring only. The COMPLETED and FAILED states represent the final step in processing, and are visible in JSON files.

Code Description Processing completed?
PROCESSING The message is in the process of being converted to its final format. For example, decompression and decryption steps both have this status. No
MDN_TRANSMIT Message processing is sending an MDN response. No
MDN_RECEIVE Message processing is receiving an MDN response. No
COMPLETED Message processing has completed successfully. This state includes when an MDN is sent for an inbound message or for MDN verification of outbound messages. Yes
FAILED The message processing has failed. For a list of error codes, see AS2 error codes. Yes

AS2 error codes

The following table lists and describes error codes that you might receive from AS2 file transfers.

AS2 error codes
Code Error Description and resolution
ACCESS_DENIED
  • Access denied. Check if your access role has necessary permissions.

  • Invalid file path send-file-path

  • Failed to get credentials with ErrorCode: error-code

Occurs when handling a StartFileTransfer request where any of the SendFilePaths are not valid or malformed. That is, the path is missing the Amazon S3 bucket name, or the path includes characters that aren't valid. Also occurs if Transfer Family fails to assume the access role or logging role.

Ensure that the path contains a valid Amazon S3 bucket name and key name.

AGREEMENT_NOT_FOUND Agreement was not found.

Either the agreement was not found, or the agreement is associated with an inactive profile.

Update the agreement within the Transfer Family server to include active profiles.

CONNECTOR_NOT_FOUND Connector or related configuration was not found.

Either the connector was not found, or the connector is associated with an inactive profile.

Update the connector to include active profiles.

CREDENTIALS_RETRIEVAL_FAILED
  1. Secret not found in Secrets Manager.

  2. Cannot access Secrets Manager.

  3. Failed to decrypt secret in Secrets Manager.

  4. Cannot get secret value due to throttling.

For AS2 Basic authentication, the secret must be formatted correctly. The following resolutions correspond to the errors listed in the previous column.

  1. Ensure that the secret ID is correct.

  2. Ensure that the access role has the appropriate permissions to read the secret. The access role must provide read and write access to the parent directory of the file location used in the StartFileTransfer request. Additionally, make sure that the role provides read and write access to the parent directory of the files that you intend to send with StartFileTransfer.

  3. If a customer managed key is being used for the secret, ensure that the access role has permissions for the AWS Key Management Service (AWS KMS) key.

  4. For the applicable quotas, see Quotas for handling secrets.

DECOMPRESSION_FAILED Failed to decompress message.

Either the file sent is corrupt, or the compression algorithm is not valid.

Resend the message and verify that ZLIB compression is used, or resend the message without compression enabled.

DECRYPT_FAILED Failed to decrypt message message-ID. Ensure that the partner has the correct public encryption key.

Decryption failed.

Confirm that the partner sent a payload by using a valid certificate and that encryption was performed by using a valid encryption algorithm.

DECRYPT_FAILED_INVALID_SMIME_FORMAT Unable to parse enveloped mimePart.

MIME payload is either corrupt or in an unsupported SMIME format.

The sender should make sure that the format they're using is supported, and then resend the payload.

DECRYPT_FAILED_NO_DECRYPTION_KEY_FOUND No matching decryption key found.

The partner profile did not have a certificate assigned that matched the message, or the certificates that matched the message are now expired or no longer valid.

You must update the partner profile and ensure that it contains a valid certificate.

DECRYPT_FAILED_UNSUPPORTED_ENCRYPTION_ALG SMIME Payload Decryption requested using unsupported algorithm with ID: encryption-ID.

The remote sender has sent an AS2 payload with an unsupported encryption algorithm.

The sender must choose an encryption algorithm that's supported by AWS Transfer Family.

DUPLICATE_MESSAGE Duplicate or double processed step.

The payload has a duplicate processing step. For example, there are two encryption steps.

Resend the message with a single step for signing, compression, and encryption.

ENCRYPT_FAILED_NO_ENCRYPTION_KEY_FOUND

No valid public encryption certificates found in profile: local-profile-ID

Transfer Family is attempting to encrypt an outbound message, but no encryption certificates are found for the local profile.

Resolution options:

  • Ensure that the local profile has a certificate and private key for encryption attached.

  • Ensure that the encryption certificate is currently active.

ENCRYPTION_FAILED Failed to encrypt file file-name.

The file to be sent is not available for encryption.

Verify that the file is in its expected AS2 location and that AWS Transfer Family has permission to read the file.

FILE_SIZE_TOO_LARGE File size is too large. This occurs when sending or receiving a file that exceeds the file size limit.
HTTP_ERROR_RESPONSE_FROM_PARTNER

partner-URL returned status 400 for message with ID=message-ID.

Communicating with the partner's AS2 server returned an unexpected HTTP response code.

The partner might be able to provide more diagnostics from their AS2 server logs.

INSUFFICENT_MESSAGE_SECURITY_UNENCRYPTED Encryption is required. The partner sent an unencrypted message to Transfer Family, which is not supported. The sender must use an encrypted payload.
INVALID_ENDPOINT_PROTOCOL Only HTTP and HTTPS are supported. You must specify HTTP or HTTPS as the protocol in your AS2 connector configuration.
INVALID_REQUEST
  1. There is a problem with a message header.

  2. Could not parse secret JSON.

    Secret JSON did not match expected format.

  3. Secret must be a JSON string.

  4. Username must not contain a colon.

    Username must not contain control characters.

    Username must contain only ASCII characters.

    Password must not contain control characters.

    Password must contain only ASCII characters.

This error has several causes. The following resolutions correspond to the errors listed in the previous column.

  1. Check the as2-from and as2-to fields. Make sure that the original message ID is accurate for the MDN format. Also make sure that the message ID format is not missing any AS2 headers.

  2. Ensure that the secret value matches the documented format, as described in Enable Basic authentication for AS2 connectors.

  3. Ensure that the secret is provided as a string, and not as a binary.

  4. Make the necessary correction to the username or password.

INVALID_URL_FORMAT Invalid URL format: URL

This occurs when you are sending an outbound message using a connector configured with a malformed URL.

Ensure that the connector is configured with a valid HTTP or HTTPS URL.

MDN_RESPONSE_INDICATES_AUTHENTICATION_FAILED Not applicable The receiver cannot authenticate the sender. The trading partner returns an MDN to Transfer Family with the disposition modifier Error: authentication-failed.
MDN_RESPONSE_INDICATES_DECOMPRESSION_FAILED Not applicable This occurs when the receiver cannot decompress the message contents. The trading partner returns an MDN to Transfer Family with the disposition modifier Error: decompression-failed.
MDN_RESPONSE_INDICATES_DECRYPTION_FAILED Not applicable The receiver cannot decrypt the message contents. The trading partner returns an MDN to Transfer Family with the disposition modifier Error: authentication-failed.
MDN_RESPONSE_INDICATES_INSUFFICIENT_MESSAGE_SECURITY Not applicable The receiver expects the message to be signed or encrypted, but it isn’t. The trading partner returns an MDN to Transfer Family with the disposition modifier Error: insufficient-message-security.

Enable signing and/or encryption on the connector to match the trading partner's expectations.

MDN_RESPONSE_INDICATES_INTEGRITY_CHECK_FAILED Not applicable The receiver cannot verify content integrity. The trading partner returns an MDN to Transfer Family with the disposition modifier Error: integrity-check-failed.
PATH_NOT_FOUND

Unable to create directory file-path. The parent path could not be found.

Transfer Family is attempting to create a directory in the customer's Amazon S3 bucket, but the bucket is not found.

Ensure that each path mentioned in the StartFileTransfer command contains the name of an existing bucket.

SEND_FILE_NOT_FOUND File path file-path not found.

Transfer Family can't locate the file in the send file operation.

Check that the configured home directory and path are valid and that Transfer Family has read permissions for the file.

SERVER_NOT_FOUND Server associated with the message cannot be found. Transfer Family could not find the server when receiving a message. This can happen if the server is deleted during the processing of an incoming message.
SERVER_NOT_ONLINE Server server-ID is not online. The Transfer Family server is offline.

Start the server so that it can receive and process messages.

SIGNING_FAILED Failed to sign file.

The file to be sent is not available for signing, or signing could not be performed.

Verify that the file is in its expected AS2 location and that AWS Transfer Family has permission to read the file.

SIGNING_FAILED_NO_SIGNING_KEY_FOUND No certificate found for profile: local-profile-ID. Attempting to sign an outbound message, but no signing certificates are found for the local profile.

Resolution options:

  • Ensure that the local profile has a certificate and private key for signing attached.

  • Ensure that the signing certificate is currently active.

UNABLE_RESOLVE_HOST_TO_IP_ADDRESS Unable to resolve hostname to IP addresses.

Transfer Family is unable to perform DNS to IP address resolution on the public DNS server that is configured in the AS2 connector.

Update the connector to point to a valid partner URL.

UNABLE_TO_CONNECT_TO_REMOTE_HOST_OR_IP Connection to endpoint timed out.

Transfer Family cannot establish a socket connection to the configured partner's AS2 server.

Check that the partner's AS2 server is available at the configured IP address.

UNABLE_TO_RESOLVE_HOSTNAME Unable to resolve hostname hostname.

The Transfer Family server could not resolve the partner's hostname by using a public DNS server.

Check that the configured host is registered and that the DNS record has had time to publish.

VERIFICATION_FAILED Signature verification failed for AS2 message message-ID or a MIC code did not match. Check that the sender's signing certificate matches the signing certificates for the remote profile. Also check that the MIC algorithms are compatible with AWS Transfer Family.
VERIFICATION_FAILED_NO_MATCHING_KEY_FOUND
  • No public certificate matching message signature could be found in profile: partner-profile-ID.

  • Cannot get certificates for non-existent profile: partner-profile-ID.

  • No valid certificate was found in profile: partner-profile-ID.

AWS Transfer Family is attempting to verify the signature for a received message, but no matching signing certificate is found for the partner profile.

Resolution options:

  • Ensure that the partner profile has a signing certificate attached.

  • Ensure that the certificate is currently active.

  • Ensure that the certificate is the correct signing certificate for the partner.