SFTP Troubleshooting
Use the commands and techniques on this page to diagnose SFTP connectivity issues.
Finding the IP addresses
Most firewall and allowlist issues come down to two IP addresses: the server's IP and the connecting machine's IP.
Server IP (managed server): Open the server in the Console. On the Overview tab, the Host field shows the server's IP or hostname. For a managed server, the EC2 details also show the Public IP. This is the address you connect to.
Your connecting IP (to allowlist on a managed server): On the server's Security tab, the Inbound Security Rules form shows your current IP ("Your current IP is <your-ip>/32"). Use that value when adding a rule. See Managed Server.
eCourtDate's connecting IP (external servers only): This applies only when you use your own server and eCourtDate connects out to it. eCourtDate connects from a fixed set of IPs, shown in the Console under Whitelist IP Addresses on the server's Overview tab. Allowlist the values shown in your Console on your server's firewall. If you use a managed server, you do not need these: you only add your own IP under Inbound Security Rules.
Fallback only: If you need the public IP of a different machine that the Console cannot show you (for example, a separate case management server), you can look it up from that machine:
curl https://checkip.amazonaws.com
On Windows PowerShell:
(Invoke-WebRequest -Uri "https://checkip.amazonaws.com").Content
Checking a managed server's status
For a managed server, confirm the server is running before digging into client or network issues. Open the server in the Console and review the Instance Details section. It shows the instance state (for example, running or stopped) along with the instance ID and network information such as the Public IP. If the state is not running, the server cannot accept connections; open a support ticket so eCourtDate can start it.
You can also click Test Connection on the server page to verify that the Console can reach the server. A successful test shows the host and a response time. A failure shows Unable to connect, which points to the server, its firewall rules, or the network rather than your local client. After a successful test, if you still cannot connect from your own machine, the issue is more likely your client, credentials, or that your IP is not allowlisted. See Managed Server.
Port Connectivity Testing
Test whether the SFTP port is reachable from your machine.
Linux / macOS:
nc -zv {server_ip} 22
Windows PowerShell:
Test-NetConnection -ComputerName {server_ip} -Port 22
All platforms:
ping {server_ip}
Interpreting Results
| Result | Meaning |
|---|---|
| Port is open / connection succeeded | The SFTP service is reachable. The issue is likely authentication-related. See Authentication errors and SFTP Errors. |
| Connection refused | Most likely the connecting IP is not allowlisted on the server firewall. See Finding the IP addresses and add your IP under Inbound Security Rules on the server's Security tab. |
| Timed out | Most likely the connecting IP is not allowlisted on the server firewall, or a network-level firewall is blocking the connection. See Finding the IP addresses and add your IP under Inbound Security Rules on the server's Security tab. |
Authentication Errors
"Permission denied" / "Authentication failed" / "Server refused our key"
The server rejected your login credentials.
Ensure you are using the correct username. For a managed server, connect as ubuntu (shown on the server's Overview tab in the Console). For an external server, use the username configured on that server.
If you are using an SSH private key:
- Ensure the password field is blank in your SFTP client when the server expects key-based authentication.
- Ensure the key passphrase is blank or disabled unless the server requires one.
- Restrict the private key to user read-only permissions. On Linux and macOS, run
chmod 400 path/to/key.pem. On Windows, see Windows Private Key Security.
See Authentication for key format and client setup, and SFTP Errors for other connection errors.
Debug Logging
Enable verbose logging in your SFTP client to capture detailed connection information for troubleshooting.
OpenSSH (Linux / macOS)
Standard verbosity:
ssh -i "path/to/key.pem" user@hostname -v
Maximum verbosity:
ssh -i "path/to/key.pem" user@hostname -vvv
WinSCP
Launch WinSCP with logging enabled:
WinSCP.exe /log="path/to/logfile.log" /loglevel=5
Or enable logging from within the application: Options > Logging > set log level to Debug.
PuTTY
Use the plink command-line tool with verbose output:
plink -i "path/to/key.ppk" user@hostname -v
GUI Clients
Most GUI SFTP clients provide a logging or debug option in their settings:
| Client | Path to Logging |
|---|---|
| WinSCP | Options > Logging |
| Transmit | Options > Logging |
| FileZilla | Edit > Settings > Logging |
| Cyberduck | Preferences > Connection > Log |
| FTPRush | Options > Logging |
Set the log level to Debug for the most detailed output.
Windows Private Key Security
On Windows, the private key file must be restricted so that only your user account can read it. Run the following commands in PowerShell or Command Prompt:
icacls "%USERPROFILE%\.ssh\key.ppk" /inheritance:r
icacls "%USERPROFILE%\.ssh\key.ppk" /grant:r "%username%:(R)"
The first command removes inherited permissions. The second grants read-only access to your user account. Replace key.ppk with the actual filename of your private key.
Getting Help
If you cannot resolve the issue, open a support ticket: sign in to the eCourtDate app (staging or production) under your Default Agency and click the tickets button in the bottom-right corner.
Include the following so support can trace the issue:
- Server: the server name and its Host (shown on the server's Overview tab in the Console).
- Connecting IP addresses: the public IP of the machine or service connecting to the server.
- Error messages: the full text of any error messages you are seeing.
- SFTP client used: the name and version of the SFTP client (e.g., OpenSSH 9.0, WinSCP 6.1, PuTTY 0.79).
- Debug logs: the relevant debug log output.
- The approximate time of the failed connection (an exact UTC timestamp is not required).
Check status.ecourtdate.com for platform incidents and scheduled maintenance.
Never share passwords, SSH private keys, or private key contents in support tickets or logs. Remove or redact them before attaching logs.