Troubleshooting SFTP

SFTP connection issues are typically caused by firewalls or incorrect settings in SFTP software. The steps below will help you resolve these issues.

We often encounter resistance from customers who are unwilling to invest in troubleshooting their client or firewall because a previous connection may have worked.

In our experience, the change that caused the problem is usually on the customer's side, and we would appreciate it if you could go through and verify all of the following things before asking us for further assistance.

Check for Firewall Issues

During the majority of support calls pertaining to SFTP, the primary underlying factor is typically associated with the corporate or network firewall of the customer or customer counterparty.

SFTP is a frequently restricted protocol by firewalls. In many cases, modifications to firewalls can inadvertently introduce new complications that were previously non-existent.

Have you manually whitelisted any IP addresses anywhere?

If so, you need to all of the appropriate IPs are whitelisted, not just some of them.

See if you need to ask for an IP whitelist.

If you have not whitelisted IP addresses, maybe your firewall administrator requires an explicit whitelist for SFTP traffic. Please submit a request to your network or firewall administrator to allow SFTP port 22 traffic to all of the IP addresses used by your server.

Connection Settings in Your SFTP App

The following connection settings are the most common issues related to SFTP. Please double-check all of the following.

Hostname

Connect with SFTP to the fully qualified domain name of your appliance. Do not include https:// at the start of the address. If your client requires an IP address for the connection, connect using the external IP address configured in the appliance manager.

Port

By default, you should be using port 22. The default SSH/SFTP port of 22 is blocked or interfered with by many corporate firewalls.

Timeout

If supported in your app, please increase the connection timeout value to 60 seconds.

Retry Logic

If supported in your app, have your app attempt three connection retries at 10-second intervals. This will allow failed connections contacting one server to retry the connection via a different server.

Keepalives

ExaVault will time out SFTP sessions that have been idle for 120 seconds. This is to prevent unused sessions from being left open and using server resources. Such idle timeouts are normal, and most SFTP apps handle them without issue, but there are some apps that may not handle these timeouts gracefully. To prevent these idle timeouts, many apps offer a "keepalive" setting. Many SFTP apps will complete transfers in progress and then will connect again upon the user issuing another command. If your app aborts a transfer or errors out due to the idle timeout message, you can implement keepalives (either null packets or dummy commands) every 100 seconds to maintain the SFTP connection and avoid the timeout messages.

Ciphers

Please check the documentation for your SFTP app to find out how to configure ciphers for your connection.

Configuration on ExaVault That May be Relevant

If you have confirmed all of the above, here are some remaining things that have caused SFTP issues for some of our customers.

Verify that the username is enabled, and that the username and password are correct. Click the Users icon in the left menu, users will have a green check if enabled and a red X if disabled. To enable a user, select the user that is disabled and click Enable/Disable.

Authentication or Invalid Username/Password Failure Messages

The SFTP protocol has a "gotcha" that often confuses SFTP users when trying to troubleshoot authentication issues. The protocol uses integers internally to communicate authentication failure codes and does not even allow services (such as ExaVault) to send detailed error messages that relate to authentication.

This is in contrast to nearly every other protocol, such as our API, FTP, web, etc., which all provide detailed messages that explain login failures.

Many SFTP client software will simply plug in a "default" message about authentication failure or invalid username/password when they experience any sort of authentication failure. We recommend using your ExaVault site's activity logs to determine the real reason for the failure.

PreviousCommand Line SFTP Examples NextFTP and FTPS

Last updated 29 days ago