Monitoring AS2 usage

You can monitor AS2 activity using Amazon CloudWatch and AWS CloudTrail. To view other Transfer Family server metrics, see Amazon CloudWatch logging for AWS Transfer Family

AS2 metrics
Metric	Description
`InboundMessage`	The total number of AS2 messages successfully received from a trading partner. Units: Count Period: 5 minutes
`InboundFailedMessage`	The total number of AS2 messages that were unsuccessfully received from a trading partner. That is, a trading partner sent a message, but the Transfer Family server was not able to successfully process it. Units: Count Period: 5 minutes
`OutboundMessage`	The total number of AS2 messages successfully sent from the Transfer Family server to a trading partner. Units: Count Period: 5 minute
`OutboundFailedMessage`	The total number of AS2 messages that were unsuccessfully sent to a trading partner. That is, they were sent from the Transfer Family server, but were not successfully received by the trading partner. Units: Count Period: 5 minutes

AS2 Status codes

The following table lists all of the status codes that can be logged to CloudWatch logs when you or your partner send an AS2 message. Different message processing steps apply to different message types and are intended for monitoring only. The COMPLETED and FAILED states represent the final step in processing, and are visible in JSON files.

Code	Description	Processing completed?
PROCESSING	The message is in the process of being converted to its final format. For example, decompression and decryption steps both have this status.	No
MDN_TRANSMIT	Message processing is sending an MDN response.	No
MDN_RECEIVE	Message processing is receiving an MDN response.	No
COMPLETED	Message processing has completed successfully. This state includes when an MDN is sent for an inbound message or for MDN verification of outbound messages.	Yes
FAILED	The message processing has failed. For a list of error codes, see AS2 error codes.	Yes

AS2 error codes

The following table lists and describes error codes that you might receive from AS2 file transfers.

AS2 error codes
Code	Error	Description and resolution
`ACCESS_DENIED`	Access denied. Check if your access role has necessary permissions. Invalid file path `send-file-path` Failed to get credentials with ErrorCode: `error-code`	Occurs when handling a `StartFileTransfer` request where any of the `SendFilePaths` are not valid or malformed. That is, the path is missing the Amazon S3 bucket name, or the path includes characters that aren't valid. Also occurs if Transfer Family fails to assume the access role or logging role. Ensure that the path contains a valid Amazon S3 bucket name and key name.
`AGREEMENT_NOT_FOUND`	Agreement was not found.	Either the agreement was not found, or the agreement is associated with an inactive profile. Update the agreement within the Transfer Family server to include active profiles.
`CONNECTOR_NOT_FOUND`	Connector or related configuration was not found.	Either the connector was not found, or the connector is associated with an inactive profile. Update the connector to include active profiles.
`CREDENTIALS_RETRIEVAL_FAILED`	Secret not found in Secrets Manager. Cannot access Secrets Manager. Failed to decrypt secret in Secrets Manager. Cannot get secret value due to throttling.	For AS2 Basic authentication, the secret must be formatted correctly. The following resolutions correspond to the errors listed in the previous column. Ensure that the secret ID is correct. Ensure that the access role has the appropriate permissions to read the secret. The access role must provide read and write access to the parent directory of the file location used in the `StartFileTransfer` request. Additionally, make sure that the role provides read and write access to the parent directory of the files that you intend to send with `StartFileTransfer`. If a customer managed key is being used for the secret, ensure that the access role has permissions for the AWS Key Management Service (AWS KMS) key. For the applicable quotas, see Quotas for handling secrets.
`DECOMPRESSION_FAILED`	Failed to decompress message.	Either the file sent is corrupt, or the compression algorithm is not valid. Resend the message and verify that ZLIB compression is used, or resend the message without compression enabled.
`DECRYPT_FAILED`	Failed to decrypt message `message-ID`. Ensure that the partner has the correct public encryption key.	Decryption failed. Confirm that the partner sent a payload by using a valid certificate and that encryption was performed by using a valid encryption algorithm.
`DECRYPT_FAILED_INVALID_SMIME_FORMAT`	Unable to parse enveloped mimePart.	MIME payload is either corrupt or in an unsupported SMIME format. The sender should make sure that the format they're using is supported, and then resend the payload.
`DECRYPT_FAILED_NO_DECRYPTION_KEY_FOUND`	No matching decryption key found.	The partner profile did not have a certificate assigned that matched the message, or the certificates that matched the message are now expired or no longer valid. You must update the partner profile and ensure that it contains a valid certificate.
`DECRYPT_FAILED_UNSUPPORTED_ENCRYPTION_ALG`	SMIME Payload Decryption requested using unsupported algorithm with ID: `encryption-ID`.	The remote sender has sent an AS2 payload with an unsupported encryption algorithm. The sender must choose an encryption algorithm that's supported by AWS Transfer Family.
`DUPLICATE_MESSAGE`	Duplicate or double processed step.	The payload has a duplicate processing step. For example, there are two encryption steps. Resend the message with a single step for signing, compression, and encryption.
`ENCRYPT_FAILED_NO_ENCRYPTION_KEY_FOUND`	No valid public encryption certificates found in profile: `local-profile-ID`	Transfer Family is attempting to encrypt an outbound message, but no encryption certificates are found for the local profile. Resolution options: Ensure that the local profile has a certificate and private key for encryption attached. Ensure that the encryption certificate is currently active.
`ENCRYPTION_FAILED`	Failed to encrypt file `file-name`.	The file to be sent is not available for encryption. Verify that the file is in its expected AS2 location and that AWS Transfer Family has permission to read the file.
`FILE_SIZE_TOO_LARGE`	File size is too large.	This occurs when sending or receiving a file that exceeds the file size limit.
`HTTP_ERROR_RESPONSE_FROM_PARTNER`	`partner-URL` returned status 400 for message with ID=`message-ID`.	Communicating with the partner's AS2 server returned an unexpected HTTP response code. The partner might be able to provide more diagnostics from their AS2 server logs.
`INSUFFICENT_MESSAGE_SECURITY_UNENCRYPTED`	Encryption is required.	The partner sent an unencrypted message to Transfer Family, which is not supported. The sender must use an encrypted payload.
`INVALID_ENDPOINT_PROTOCOL`	Only HTTP and HTTPS are supported.	You must specify HTTP or HTTPS as the protocol in your AS2 connector configuration.
`INVALID_REQUEST`	There is a problem with a message header. Could not parse secret JSON. Secret JSON did not match expected format. Secret must be a JSON string. Username must not contain a colon. Username must not contain control characters. Username must contain only ASCII characters. Password must not contain control characters. Password must contain only ASCII characters.	This error has several causes. The following resolutions correspond to the errors listed in the previous column. Check the `as2-from` and `as2-to` fields. Make sure that the original message ID is accurate for the MDN format. Also make sure that the message ID format is not missing any AS2 headers. Ensure that the secret value matches the documented format, as described in Enable Basic authentication for AS2 connectors. Ensure that the secret is provided as a string, and not as a binary. Make the necessary correction to the username or password.
`INVALID_URL_FORMAT`	Invalid URL format: `URL`	This occurs when you are sending an outbound message using a connector configured with a malformed URL. Ensure that the connector is configured with a valid HTTP or HTTPS URL.
`MDN_RESPONSE_INDICATES_AUTHENTICATION_FAILED`	Not applicable	The receiver cannot authenticate the sender. The trading partner returns an MDN to Transfer Family with the disposition modifier `Error: authentication-failed`.
`MDN_RESPONSE_INDICATES_DECOMPRESSION_FAILED`	Not applicable	This occurs when the receiver cannot decompress the message contents. The trading partner returns an MDN to Transfer Family with the disposition modifier `Error: decompression-failed`.
`MDN_RESPONSE_INDICATES_DECRYPTION_FAILED`	Not applicable	The receiver cannot decrypt the message contents. The trading partner returns an MDN to Transfer Family with the disposition modifier `Error: authentication-failed`.
`MDN_RESPONSE_INDICATES_INSUFFICIENT_MESSAGE_SECURITY`	Not applicable	The receiver expects the message to be signed or encrypted, but it isn’t. The trading partner returns an MDN to Transfer Family with the disposition modifier `Error: insufficient-message-security`. Enable signing and/or encryption on the connector to match the trading partner's expectations.
`MDN_RESPONSE_INDICATES_INTEGRITY_CHECK_FAILED`	Not applicable	The receiver cannot verify content integrity. The trading partner returns an MDN to Transfer Family with the disposition modifier `Error: integrity-check-failed`.
`PATH_NOT_FOUND`	Unable to create directory `file-path`. The parent path could not be found.	Transfer Family is attempting to create a directory in the customer's Amazon S3 bucket, but the bucket is not found. Ensure that each path mentioned in the `StartFileTransfer` command contains the name of an existing bucket.
`SEND_FILE_NOT_FOUND`	File path `file-path` not found.	Transfer Family can't locate the file in the send file operation. Check that the configured home directory and path are valid and that Transfer Family has read permissions for the file.
`SERVER_NOT_FOUND`	Server associated with the message cannot be found.	Transfer Family could not find the server when receiving a message. This can happen if the server is deleted during the processing of an incoming message.
`SERVER_NOT_ONLINE`	Server `server-ID` is not online.	The Transfer Family server is offline. Start the server so that it can receive and process messages.
`SIGNING_FAILED`	Failed to sign file.	The file to be sent is not available for signing, or signing could not be performed. Verify that the file is in its expected AS2 location and that AWS Transfer Family has permission to read the file.
`SIGNING_FAILED_NO_SIGNING_KEY_FOUND`	No certificate found for profile: `local-profile-ID`.	Attempting to sign an outbound message, but no signing certificates are found for the local profile. Resolution options: Ensure that the local profile has a certificate and private key for signing attached. Ensure that the signing certificate is currently active.
`UNABLE_RESOLVE_HOST_TO_IP_ADDRESS`	Unable to resolve hostname to IP addresses.	Transfer Family is unable to perform DNS to IP address resolution on the public DNS server that is configured in the AS2 connector. Update the connector to point to a valid partner URL.
`UNABLE_TO_CONNECT_TO_REMOTE_HOST_OR_IP`	Connection to endpoint timed out.	Transfer Family cannot establish a socket connection to the configured partner's AS2 server. Check that the partner's AS2 server is available at the configured IP address.
`UNABLE_TO_RESOLVE_HOSTNAME`	Unable to resolve hostname `hostname`.	The Transfer Family server could not resolve the partner's hostname by using a public DNS server. Check that the configured host is registered and that the DNS record has had time to publish.
`VERIFICATION_FAILED`	Signature verification failed for AS2 message `message-ID` or a MIC code did not match.	Check that the sender's signing certificate matches the signing certificates for the remote profile. Also check that the MIC algorithms are compatible with AWS Transfer Family.
`VERIFICATION_FAILED_NO_MATCHING_KEY_FOUND`	No public certificate matching message signature could be found in profile: `partner-profile-ID`. Cannot get certificates for non-existent profile: `partner-profile-ID`. No valid certificate was found in profile: `partner-profile-ID`.	AWS Transfer Family is attempting to verify the signature for a received message, but no matching signing certificate is found for the partner profile. Resolution options: Ensure that the partner profile has a signing certificate attached. Ensure that the certificate is currently active. Ensure that the certificate is the correct signing certificate for the partner.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Transfer AS2 messages

Managing file-processing workflows