Troubleshooting Outbound SFTP

Outbound SFTP connections may be interrupted by a variety of issues. Some can be remedied by changing configuration settings in your Files.com site. Others must be addressed in the configuration of the remote SFTP system or its firewall.

Verify that you are using the correct SFTP configuration setting to connect to the remote SFTP server. Check that the hostname, authentication information, and port are correct.

Ensure that the outbound server supports SFTP or is a SFTP server. The default SFTP port is 22, but could be a different customized port. If the connection information that was provided to you states that ports 21 or 990 should be used to connect then this indicates that the remote server supports FTP(S) instead of SFTP.

SFTP servers typically support a limited number of simultaneous concurrent connections. Enterprise grade SFTP servers will have a higher number of allowed connections while other SFTP servers may only allow 1 or 2 concurrent connections. Refer to the SFTP server documentation, or contact the operator of the SFTP server, to determine if connection limits exist.

Lower the Maximum connections setting for the remote server to a value that is supported by the remote SFTP server.

Timeout issues can occur in various ways.

If there are intermittent network issues between Files.com and the remote server then SFTP commands, or their responses, may not occur within the time allowed by the SFTP protocol.

If the remote server is overloaded or runs out of resources, such as its CPU or memory hitting 100%, then SFTP commands will take much longer to execute.

If the remote SFTP server changes something, such as the authentication method or the SFTP port, then SFTP connections from Files.com can timeout due to trying to connect using outdated information.

SFTP commands may fail if they do not execute on, or receive a response from, the remote SFTP server within the allotted time.

Attempt to resolve any network issues and ensure that the remote SFTP server is capable of supporting the connection load being sent to it from Files.com.

Files.com is designed for Enterprise scalability. As a cloud-native solution, our platform provides elastic scalability with effectively no limits for file sizes or number of connections.

Remote SFTP servers may not offer the same scalability.

Generally speaking, modern remote Enterprise level SFTP solutions should be able to match our throughput and capacity. However, SFTP connectivity can also be implemented by systems that expect it to be used casually and are not designed to handle large amounts of SFTP usage.

Ensure that combined workloads from all Remote Syncs, Remote Mounts, or Automations to the remote server will be within its operational limits.

The SFTP protocol has been widely adopted since the late 1990s with improvements and updates that are still being applied today.

Backwards compatibility with older versions of SFTP may not always be possible depending on the security issues that are present in old versions of SFTP.

We provide options for you to allow connections to older insecure versions of SFTP.

Some SFTP servers allow customization or are implemented in a non-standard way. Connectivity to these kinds of non-standard SFTP servers may not be successful.

There may be firewalls, or other restrictions, on the remote server that require an IP address to be whitelisted.

Verify that connections from Files.com IP addresses are allowed by the remote SFTP server.

If you have a Custom Domain installed on your site, that means Files.com has provisioned two dedicated IP addresses for your site and it will use them by default for outbound connections to the remote server. Provide these 2 IP addresses to your counterparties and ask them to whitelist them in any applicable firewall.

If you do not have a Custom Domain installed on your site, you do not have Dedicated IP Addresses provisioned for your site and Files.com will use its entire pool of IP addresses for connecting outbound to the remote server. If your counterparties maintain an IP Address whitelist, you will need to have them whitelist all of the IPs on this list.

Customers often ask for Dedicated IP addresses as a way to avoid having to ask their counterparty to whitelist a huge list of IP addresses.

We are able to offer that for Remote Server connection purposes via somewhat of a backdoor method, which is adding a Custom Domain to your site. Having a custom domain provides a justification for the dedicated IP address.

Files.com automatically provisions a pair of dedicated IP addresses for every site that has a custom domain enabled. We do that because FTP, unlike HTTP, requires that every custom domain be hosted on a dedicated IP address in order to have a custom SSL Certificate that matches the domain.

This means that if you have users who restrict outbound access via a firewall, they will only need to whitelist your two dedicated IP addresses. rather than having to whitelist our entire published list of IP addresses (see above).

Dedicated IPs, once provisioned, are used for both inbound connections to your site via your custom domain, as well as outbound connections from Files.com to certain applicable Remote Servers that are used for Remote Server Sync and Remote Server Mount.

By default, Files.com will use your dedicated IP addresses for outbound connections to FTP, SFTP, WebDAV, and S3 Compatible remote servers. However, you can disable the use of your dedicated IP in these circumstances if you need to. (You might do that if your counterparty has already whitelisted the main Files.com IP range, for example.)

Connections made to a remote SFTP server will use the algorithm cipher that is agreed upon by both Files.com and the remote system. Files.com will present a list of algorithm ciphers, starting with the strongest and ending with the weakest, to the remote SFTP server but it is the remote server that decides exactly which algorithms are used for Key Exchange, Server Host Key, Encryption, and MAC. Contact the administrator of the remote SFTP server to determine which SSH algorithm ciphers are supported by that system.