# Troubleshooting SFTP

SFTP connection issues are usually caused by firewalls or incorrect settings in the SFTP client. The checks below cover the most common causes.

In most cases, the change that introduced the problem is on the client side. Work through the items below before contacting support.

## Check for Firewall Issues <a href="#check-for-local-network-firewall-issues" id="check-for-local-network-firewall-issues"></a>

Most SFTP support calls trace back to the corporate or network firewall on the customer's side or the counterparty's side. SFTP is a frequently restricted protocol, and firewall changes often introduce new complications.

### Have You Manually Allowlisted Any IP Addresses?

If you have, confirm that all of the appropriate IPs are allowlisted, not just some of them.

### Do You Need to Request an IP Allowlist?

If you have not allowlisted IP addresses, your firewall administrator may require an explicit allowlist for SFTP traffic. Submit a request to your network or firewall administrator to allow SFTP port `22` traffic to all of the IP addresses used by your server.

## Connection Settings in Your SFTP App <a href="#connection-settings-in-your-sftp-app" id="connection-settings-in-your-sftp-app"></a>

The settings below are the most common sources of SFTP connection problems. Double-check each one.

### Hostname

Connect with SFTP to the fully qualified domain name of your appliance. Do not include `https://` at the start of the address. If your client requires an IP address for the connection, connect using the external IP address configured in the appliance manager.

### Port

The default SSH/SFTP port is `22`. Many corporate firewalls block or interfere with port `22`.

### Timeout

If your app supports it, increase the connection timeout value to 60 seconds.

### Retry Logic

If your app supports it, configure three connection retries at 10-second intervals. This allows a failed connection to one server to retry against a different server.

### Keepalives

ExaVault times out SFTP sessions that have been idle for 120 seconds. This prevents unused sessions from holding server resources. Idle timeouts are normal, and most SFTP apps handle them without issue, but some apps do not. Many apps complete transfers in progress and then reconnect when the user issues another command. If your app aborts a transfer or errors out on the idle timeout message, configure keepalives (null packets or dummy commands) every 100 seconds to maintain the SFTP connection.

### Ciphers

Your SFTP app and ExaVault will only connect if both sides agree on a secure cipher. Insecure ciphers are rejected by either side. Make sure your SFTP app uses a [supported secure cipher](/connection-methods/sftp/supported-ssh-ciphers.md).

Check the documentation for your SFTP app to find out how to configure ciphers for your connection.

## ExaVault Configuration That May Be Relevant <a href="#configuration-on-filescom-that-may-be-relevant" id="configuration-on-filescom-that-may-be-relevant"></a>

If the items above check out, the remaining cause is often on the ExaVault side.

Verify that the username is enabled and that the username and password are correct. In the *Users* section, enabled users show a green check and disabled users show a red X. Select a disabled user and use *Enable/Disable* to enable them.

## Authentication or Invalid Username/Password Failure Messages <a href="#invalid-usernamepassword-failures" id="invalid-usernamepassword-failures"></a>

The SFTP protocol has a quirk that often confuses users troubleshooting authentication issues. The protocol uses integers internally to communicate authentication failure codes and does not allow services like ExaVault to return detailed error messages related to authentication.

This is in contrast to nearly every other protocol (our API, FTP, web, and so on), which all provide detailed messages explaining login failures.

Many SFTP clients fall back to a generic "authentication failure" or "invalid username/password" message for any authentication error. Use your ExaVault site's activity logs to determine the real reason for the failure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.exavault.com/connection-methods/sftp/troubleshooting-sftp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.