

# Monitoring AS2 usage
<a name="as2-monitoring"></a>

You can monitor AS2 activity using Amazon CloudWatch and AWS CloudTrail. To view other Transfer Family server metrics, see [Amazon CloudWatch logging for AWS Transfer Family servers](structured-logging.md)


**AS2 metrics**  

| Metric | Description | 
| --- | --- | 
| InboundMessage |  The total number of AS2 messages successfully received from a trading partner. Units: Count Period: 5 minutes  | 
| InboundFailedMessage |  The total number of AS2 messages that were unsuccessfully received from a trading partner. That is, a trading partner sent a message, but the Transfer Family server was not able to successfully process it. Units: Count Period: 5 minutes  | 
| OutboundMessage |  The total number of AS2 messages successfully sent from the Transfer Family server to a trading partner. Units: Count Period: 5 minute  | 
| OutboundFailedMessage |  The total number of AS2 messages that were unsuccessfully sent to a trading partner. That is, they were sent from the Transfer Family server, but were not successfully received by the trading partner. Units: Count Period: 5 minutes  | 
| DaysUntilExpiry |  The number of days until a Certificate expires determined by the `InactiveDate` set on the Certificate when importing. Units: Count Dimensions: `CertificateId`, `Description` (if provided) Period: 1 day For more information, see [AS2 certificate rotation](managing-as2-partners.md#as2-certificate-rotation).  | 

## AS2 Status codes
<a name="as2-monitor-status-codes"></a>

The following table lists all of the status codes that can be logged to CloudWatch logs when you or your partner send an AS2 message. Different message processing steps apply to different message types and are intended for monitoring only. The COMPLETED and FAILED states represent the final step in processing, and are visible in JSON files.


****  

| Code | Description | Processing completed? | 
| --- | --- | --- | 
| PROCESSING | The message is in the process of being converted to its final format. For example, decompression and decryption steps both have this status. | No | 
| MDN\$1TRANSMIT | Message processing is sending an MDN response. | No | 
| MDN\$1RECEIVE | Message processing is receiving an MDN response. | No | 
| COMPLETED | Message processing has completed successfully. This state includes when an MDN is sent for an inbound message or for MDN verification of outbound messages. | Yes | 
| FAILED | The message processing has failed. For a list of error codes, see [AS2 error codes](#as2-error-codes). | Yes | 

## AS2 error codes
<a name="as2-error-codes"></a>

The following table lists and describes error codes that you might receive from AS2 file transfers.


**AS2 error codes**  

| Code | Error | Description and resolution | 
| --- | --- | --- | 
| ACCESS\$1DENIED |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html)  |  Occurs when handling a `StartFileTransfer` request where any of the `SendFilePaths` are not valid or malformed. That is, the path is missing the Amazon S3 bucket name, or the path includes characters that aren't valid. Also occurs if Transfer Family fails to assume the access role or logging role.Ensure that the path contains a valid Amazon S3 bucket name and key name. | 
| AGREEMENT\$1NOT\$1FOUND | Agreement was not found. | Either the agreement was not found, or the agreement is associated with an inactive profile.Update the agreement within the Transfer Family server to include active profiles. | 
| CONNECTOR\$1NOT\$1FOUND | Connector or related configuration was not found. |  Either the connector was not found, or the connector is associated with an inactive profile. Update the connector to include active profiles.  | 
| CREDENTIALS\$1RETRIEVAL\$1FAILED |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html)  |  For AS2 Basic authentication, the secret must be formatted correctly. The following resolutions correspond to the errors listed in the previous column. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html)  | 
| DECOMPRESSION\$1FAILED | Failed to decompress message. |  Either the file sent is corrupt, or the compression algorithm is not valid.  Resend the message and verify that ZLIB compression is used, or resend the message without compression enabled.  | 
| DECRYPT\$1FAILED | Failed to decrypt message message-ID. Ensure that the partner has the correct public encryption key. |  Decryption failed. Confirm that the partner sent a payload by using a valid certificate and that encryption was performed by using a valid encryption algorithm.  | 
| DECRYPT\$1FAILED\$1INVALID\$1SMIME\$1FORMAT | Unable to parse enveloped mimePart. |  MIME payload is either corrupt or in an unsupported SMIME format. The sender should make sure that the format they're using is supported, and then resend the payload.  | 
| DECRYPT\$1FAILED\$1NO\$1DECRYPTION\$1KEY\$1FOUND | No matching decryption key found. |  The partner profile did not have a certificate assigned that matched the message, or the certificates that matched the message are now expired or no longer valid. You must update the partner profile and ensure that it contains a valid certificate.  | 
| DECRYPT\$1FAILED\$1UNSUPPORTED\$1ENCRYPTION\$1ALG | SMIME Payload Decryption requested using unsupported algorithm with ID: encryption-ID. |  The remote sender has sent an AS2 payload with an unsupported encryption algorithm. The sender must choose an encryption algorithm that's supported by AWS Transfer Family.  | 
| DUPLICATE\$1MESSAGE | Duplicate or double processed step. |  The payload has a duplicate processing step. For example, there are two encryption steps. Resend the message with a single step for signing, compression, and encryption.  | 
| ENCRYPT\$1FAILED\$1NO\$1ENCRYPTION\$1KEY\$1FOUND |  No valid public encryption certificates found in profile: *local-profile-ID*  | Transfer Family is attempting to encrypt an outbound message, but no encryption certificates are found for the local profile.Resolution options:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html) | 
| ENCRYPTION\$1FAILED | Failed to encrypt file file-name. |  The file to be sent is not available for encryption. Verify that the file is in its expected AS2 location and that AWS Transfer Family has permission to read the file.  | 
| FILE\$1SIZE\$1TOO\$1LARGE | File size is too large. | This occurs when sending or receiving a file that exceeds the file size limit. | 
| HTTP\$1ERROR\$1RESPONSE\$1FROM\$1PARTNER |  *partner-URL* returned status 400 for message with ID=*message-ID*.  |  Communicating with the partner's AS2 server returned an unexpected HTTP response code. The partner might be able to provide more diagnostics from their AS2 server logs.  | 
| INSUFFICENT\$1MESSAGE\$1SECURITY\$1UNENCRYPTED | Encryption is required. | The partner sent an unencrypted message to Transfer Family, which is not supported. The sender must use an encrypted payload. | 
| INVALID\$1ENDPOINT\$1PROTOCOL | Only HTTP and HTTPS are supported. | You must specify HTTP or HTTPS as the protocol in your AS2 connector configuration. | 
| INVALID\$1REQUEST |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html)  |  This error has several causes. The following resolutions correspond to the errors listed in the previous column. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html) | 
| INVALID\$1URL\$1FORMAT | Invalid URL format: URL |  This occurs when you are sending an outbound message using a connector configured with a malformed URL. Ensure that the connector is configured with a valid HTTP or HTTPS URL.  | 
| MDN\$1RESPONSE\$1INDICATES\$1AUTHENTICATION\$1FAILED | Not applicable | The receiver cannot authenticate the sender. The trading partner returns an MDN to Transfer Family with the [disposition modifier ](https://datatracker.ietf.org/doc/html/rfc4130#section-7.5.4) Error: authentication-failed. | 
| MDN\$1RESPONSE\$1INDICATES\$1DECOMPRESSION\$1FAILED | Not applicable | This occurs when the receiver cannot decompress the message contents. The trading partner returns an MDN to Transfer Family with the [disposition modifier ](https://datatracker.ietf.org/doc/html/rfc4130#section-7.5.4) Error: decompression-failed. | 
| MDN\$1RESPONSE\$1INDICATES\$1DECRYPTION\$1FAILED | Not applicable | The receiver cannot decrypt the message contents. The trading partner returns an MDN to Transfer Family with the [disposition modifier ](https://datatracker.ietf.org/doc/html/rfc4130#section-7.5.4) Error: authentication-failed. | 
| MDN\$1RESPONSE\$1INDICATES\$1INSUFFICIENT\$1MESSAGE\$1SECURITY | Not applicable | The receiver expects the message to be signed or encrypted, but it isn’t. The trading partner returns an MDN to Transfer Family with the [disposition modifier ](https://datatracker.ietf.org/doc/html/rfc4130#section-7.5.4) Error: insufficient-message-security.Enable signing and/or encryption on the connector to match the trading partner's expectations. | 
| MDN\$1RESPONSE\$1INDICATES\$1INTEGRITY\$1CHECK\$1FAILED | Not applicable | The receiver cannot verify content integrity. The trading partner returns an MDN to Transfer Family with the [disposition modifier ](https://datatracker.ietf.org/doc/html/rfc4130#section-7.5.4) Error: integrity-check-failed. | 
| PATH\$1NOT\$1FOUND |  Unable to create directory *file-path*. The parent path could not be found.  | Transfer Family is attempting to create a directory in the customer's Amazon S3 bucket, but the bucket is not found.Ensure that each path mentioned in the `StartFileTransfer` command contains the name of an existing bucket. | 
| SEND\$1FILE\$1NOT\$1FOUND | File path file-path not found. |  Transfer Family can't locate the file in the send file operation. Check that the configured home directory and path are valid and that Transfer Family has read permissions for the file.  | 
| SERVER\$1NOT\$1FOUND | Server associated with the message cannot be found. | Transfer Family could not find the server when receiving a message. This can happen if the server is deleted during the processing of an incoming message. | 
| SERVER\$1NOT\$1ONLINE | Server server-ID is not online. | The Transfer Family server is offline.Start the server so that it can receive and process messages. | 
| SIGNING\$1FAILED | Failed to sign file. |  The file to be sent is not available for signing, or signing could not be performed. Verify that the file is in its expected AS2 location and that AWS Transfer Family has permission to read the file.  | 
| SIGNING\$1FAILED\$1NO\$1SIGNING\$1KEY\$1FOUND | No certificate found for profile: local-profile-ID. | Attempting to sign an outbound message, but no signing certificates are found for the local profile.Resolution options:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html) | 
| UNABLE\$1RESOLVE\$1HOST\$1TO\$1IP\$1ADDRESS | Unable to resolve hostname to IP addresses. |  Transfer Family is unable to perform DNS to IP address resolution on the public DNS server that is configured in the AS2 connector. Update the connector to point to a valid partner URL.  | 
| UNABLE\$1TO\$1CONNECT\$1TO\$1REMOTE\$1HOST\$1OR\$1IP | Connection to endpoint timed out. |  Transfer Family cannot establish a socket connection to the configured partner's AS2 server. Check that the partner's AS2 server is available at the configured IP address.  | 
| UNABLE\$1TO\$1RESOLVE\$1HOSTNAME | Unable to resolve hostname hostname.  |  The Transfer Family server could not resolve the partner's hostname by using a public DNS server. Check that the configured host is registered and that the DNS record has had time to publish.  | 
| VERIFICATION\$1FAILED | Signature verification failed for AS2 message message-ID or a MIC code did not match. | Check that the sender's signing certificate matches the signing certificates for the remote profile. Also check that the MIC algorithms are compatible with AWS Transfer Family. | 
| VERIFICATION\$1FAILED\$1NO\$1MATCHING\$1KEY\$1FOUND |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html)  | AWS Transfer Family is attempting to verify the signature for a received message, but no matching signing certificate is found for the partner profile. Resolution options:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/transfer/latest/userguide/as2-monitoring.html) |