Last Update: 30.05.2023

Diagram

The following diagram serves as a guide. AS2 errors can be better limited/classified with it. Please start at the top and work your way down depending on the intermediate result.

images/download/attachments/137301981/AS2_EN-version-1-modificationdate-1740475446871-api-v2.png

Outgoing connections

O5 - Is the partner's AS2 endpoint reachable?

Two tests are required for this.

Network test
To do this, please perform a ping test/telnet from the Integration Server. If the connection attempt on IP and port outside the Integration Server is unsuccessful → Please continue with O10.
If necessary, please contact your infrastructure.
HTTP test
The second test is required if everything is okay network-wise. For this, the connection must be tested via HTTP. For a simple test you can also call the AS2 address of the partner via browser.
If an HTTP error code comes back, then please continue with O11.

O6 - Is a valid MDN returned?

What is an MDN?

An MDN (Message Disposition Notification) is an acknowledgement of receipt. This is sent to the sender during an AS2 exchange after the AS2 message has been received from the recipient.

This signals to the recipient that the file has been completely transmitted. The MDN informs the sender whether the transmission attempt was successful or whether an error occurred.

If the transmission was successful, the sender can use the MDN to confirm that the message was received on time. In the case of unsuccessful transmissions, i.e. if there is an error in the MDN, the error can often be used to infer the problem with the transmission.

An MDN can be sent synchronously and asynchronously. The difference is that the former waits until the contents have been processed and the latter sends the MDN immediately upon receipt of the AS2 message without waiting for the process.

A valid MDN has a unique structure. It is a multipart request. The individual parts are separated by boundaries e.g. ------=_Part_14_2121847739.1648642823595.

If the file is structured differently, such as an HTML page, then this is not a valid MDN and you should continue with O15.

Note: The MDNs can be found in the Comm-Log (Control Center → Logs → Comm-Log) and are stored in the system according to the retention period specified in configuration file ./etc/as2.xml.

Here is an example of a proper MDN.

Example - OK

null: HTTP/1.1 200 OK
AS2-From: fdsa
AS2-Version: 1.2
Set-Cookie: JSESSIONID=x691tc8tp8kp1qhwndeqjp3d3;Path=/partner
Message-Id: <MDN_1973241435.0.1648642822885@example.com>
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 838
AS2-To: asdf
EDIINT-Features: multiple-attachments
MIME-Version: 1.0
Date: Wed, 30 Mar 2022 14:20:23 +0200 (CEST)
Content-Type: multipart/report; Report-Type=disposition-notification;  boundary="----=_Part_14_2121847739.1648642823595"
 
------=_Part_14_2121847739.1648642823595
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
 
MDN for -
 Message-ID: <1973241435.0.1648642822885@example.com>
 From: asdf
 To: fdsa
 Subject: asdf
 Received on: Wed Mar 30 14:20:22 CEST 2022
Status: processed
Comment: This is not a guarantee that the message has
  been completely processed or understood by the receiving
  translator
 
------=_Part_14_2121847739.1648642823595
Content-Type: message/disposition-notification
Content-Transfer-Encoding: 7bit
 
Reporting-UA: Lobster AS2-Server (IS/5.9.12_40548)
Original-Recipient: rfc822; fdsa
Final-Recipient: rfc822; fdsa
Original-Message-ID: <1973241435.0.1648642822885@example.com>
Disposition: automatic-action/MDN-sent-automatically; processed
 
------=_Part_14_2121847739.1648642823595--

O7 - Does the MDN return an error?

In the 'Example - FAILED' below in line 11 or 24+25, the error can be seen (authentication-failed).

Example- FAILED

------=_Part_496_2093794820.1678111677590
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

MDN for -
 Message-ID: null
 From: null
 To: null
 Subject: null
 Received on: n.a.
Status: failed/failure: authentication-failed
Comment: This is not a guarantee that the message has
  been completely processed or understood by the receiving
  translator

------=_Part_496_2093794820.1678111677590
Content-Type: message/disposition-notification
Content-Transfer-Encoding: 7bit

Reporting-UA: Lobster AS2-Server
Original-Recipient: rfc822; null
Final-Recipient: rfc822; null
Original-Message-ID: null
Disposition: automatic-action/MDN-sent-automatically; failed/failure: authentication-failed
Failure: You're unknown to this system
------=_Part_496_2093794820.1678111677590--

MDNs can contain a variety of errors. In order to understand these better, the structure of an AS2 transmission must be looked at in more detail. See also IN7.

Error message	Direction	Reason/Possible error/Possible solution
failed/failure: authentication-failed (Failure: You're unknown to this system)	Both	The AS2 identifiers (IDs) do not match. Please check, or also your partner, whether the AS2 IDs are entered in the channel according to the AS2 data sheet. Attention: AS2 identifiers are case-sensitive. MDN signing or certificate for signature does not match. If the opposite side is outdated, it may be that this security must be switched off. This can be done with the checkmark 'Remove signature security setting'.
failed/failure:internal-error	Incoming	There is no profile for processing (incoming). Only for synchronous MDN: A problem occurred while processing the content.
MDN is negative with type processed/error: integrity-check-failed Error: Signature couldn't be verified	Both	Signature or signature algorithm does not match with partner's signature or partner has the wrong certificate in use.
check of signature failed: signature invalid or tempered message	Both	Signature does not match. Check certificates or encryption!
got failed disposition from partner: insufficient-message-security	Both	This means that the message is not encrypted, but the partner wants the message to be encrypted. Please check the Send encrypted checkbox in the channel and try again.
processed/error: decryption-failed (unable to get enveloped S/MIME-data)	Mostly outgoing	The message cannot be decrypted because the certificate or encryption algorithm does not match.

O10 - Is it a network error?

How can a network error be identified?

Network errors are errors where a connection to the remote side cannot be established.

In the log, you will find the line 'try to connect to server'. If there is an error message right behind it, it is a network error.

Connection timed out

try to connect to server
error while trying to connect
java.net.ConnectException: Connection timed out: connect
at java.base/java.net.PlainSocketImpl.connect0(Native Method)
at java.base/java.net.PlainSocketImpl.socketConnect(PlainSocketImpl.java:101)
at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:412) 

'Connection timed out: connect' means that the IP address is already unreachable from the other side.

The connection attempt is aborted after a certain time. An abort is usually caused by a network component, but not by the Integration Server.

Please check all firewalls involved here!

Connection refused

try to connect to server
error while trying to connect
Java.net.ConnectException: Connection refused: connect

'Connection refused: connect' means that the connection to the remote side could be reached via the IP, but the port could not.

This may be caused by the port in the channel not being correct, the port in the firewall not being open, or the port on the partner side not being open, for example, if the application on the other side is not running.

The following errors may indicate that the server on the remote side is overloaded.

Read Timeout/IOException/EOFException

Read Timeout
IOException 
EOFException

O11 - Is it an HTTP error?

An HTTP error can be identified if the error message contains an HTTP status code.

Here is a list of the most common HTTP errors related to AS2:

Code	Description	Reason/Possible error/Possible solution
401	unauthorized	Authentication required. In rare cases, a Basic Authentication is required for AS2. For this, you can specify the login in the address as follows: <user>:<pw>@<IP>/partner/AS2Retrieve
403	forbidden	The Integration Server has no permission to access the AS2 service on the remote side. Code 403 may also appear if the subject of the AS2 message does not match!
404	not found	The URL to the AS2 service is not correct, the destination cannot be found.

O15 - Please contact partner

Check channel settings, certificate, encryption/signature with the partner.

Incoming connections

IN5 - Are the messages visible in the request.log?

The request log can be found in the GUI under Control Center → Logs → Server-Logs → Http server or in file ./logs/request.log.

The timestamp tells you when the AS2 request was received. If there is no entry at the time, no AS2 request arrived at the Integration Server. Attention: UTC time is used in the request log!

Official AS2 messages can always be recognised by the POST method and the IP address of the partner. The correct AS2 URL path must be specified .../partner/AS2Retrieve

IN6 - Are the AS2 messages visible in the Comm Log?

The Comm-Log can be found in the GUI under Control Center → Logs → Comm-Log.

There you can see whether the messages are incoming or outgoing.

An AS2 message always consists of a transmission (data) and the MDN Confirmation/Rejection.

images/download/attachments/137301981/image-2023-5-24_10-42-27-version-1-modificationdate-1684917747710-api-v2.png

An example profile for automated notifications via Comm Log event is described below.

IN7 - What status is visible in the Comm Log?

Rejection → The MDN was sent to the partner, but with an error message. You can check the error details in the MDN. In the Comm Log, there should be a document available for download in the File column.

Confirmation → The MDN was sent to the partner and contains a successful transmission note.

See item IN6 (screenshot below).

IN15 - Please contact partner

If the messages do not arrive at your firewall, it could be that the partner sends the messages to the wrong address or his firewall blocks the messages. Often, test and productive systems are confused!

IN16 - Contact your infrastructure department

If the messages arrive at the firewall, but are not visible in file ./logs/request.log, it is usually due to firewall settings that do not forward the messages to the Integration Server.

IN17 - AS2 channel is not configured correctly or not created

Please first check, whether the channel has been created and is active. Then match the channel settings (ideally with the partner).

The most common causes of errors are swapped IDs or incorrect address/certificate/encryption algorithms.

IN18 - Check/Compare error messages

See item O7.

Miscellaneous

Logs

Logs can be very helpful for troubleshooting (and for our support team)! For this, you can also do a log extract via the GUI (Control Center → Logs → Server Logs).

./logs/request.log
Is a POST request from the remote station visible in the log?
Note: If the AS2 address was called via browser, it should be a GET.
./logs/as2/error.log & message.log
For AS2-specific errors.
./logs/services/error.log & message.log
For errors in the message protocol or if a DMZ server is in use.

When does a message appear under 'Unresolved' (only for AS2)?

A message appears under Unresolved if

no profile was found for processing,
a signature check was successful,
the message could be decrypted.

A message does not appear under Unresolved if

the signature verification was not successful,
the message could not be decrypted.

Error handling via Comm Log event

Attached is a default profile that can be used to read the Comm Log entries using the CommLog Input Agent. The query logic in phase 3 must still be supplemented here! Note : The profile only works with version > 4.5!

Profile-ComLogCheck.pak

Recommendation for certificates

We generally recommend using self-signed certificates for AS2 whenever possible, for the following reasons:

They are widespread and are also accepted by the 'big players', such as Amazon.
Since they are self-signed, you can easily set their validity to 10+ years, which saves you from having to change certificates every year.
If you accidentally export a private key (AS2 certificates are often exchanged via a third way), not much money is lost.

Others

Other errors could also have to do with the change to a new Lobster/Java version. Please check the java.security or the hub.xml regarding allowed ciphers!
The topic AS2 with DMZ server is not yet covered here. For AS2 problems in connection with a DMZ server, please contact the Lobster support!
No MDN is returned to the partner for incoming messages.
- The partner's address is not reachable.
  However, since the messages go through successfully in some cases, this would not be seen here.
- Your DNS resolution has intermittent problems.
  Please check with your infrastructure if there are problems with your DNS resolution at these timestamps. If so, the address could no longer be resolved and subsequently could not be reached.

Do you have any suggestions for features or ideas about this page, let us know by opening a ticket!