Learn how to correctly identify and troubleshoot the most common errors that occur during Walmart AS2 connectivity and EDI document exchanges.
To become a Walmart supplier, you must be EDI-capable and employ a reliable AS2 connection for the internet EDI transactions. This process can be challenging, especially if you are working with Walmart for the first time. Therefore, it will be beneficial to recognize common errors by symptoms such as AS2 transmission errors, negative MDN receipts, and EDI document-level errors, so that it becomes easier to troubleshoot them easily.
When initiating a message from the Walmart RetailLink end or sending a message to Walmart from your AS2 provider, if the receiving system cannot identify which partner is sending the message (AS2-From) or does not have an identity matching the intended recipient (AS2-To), it would reject the message.
The receiving system will return a HTTP error code 422 (Unprocessable Entry) to the sender.
When initiating a test message from the Walmart end, the usual error will look something like this.
The connectivity test has error 422 which is Unprocessable Entity Error. Please contact your EDI and have them correct in their system. Attaching the log as well.
Connectivity Test Report
x
Status:
Current UTC:
2024-08-19T14:05:13Z
2024-08-19T17:44:44Z Detail: "Connecting to http://service.mftgateway.com:80..." connectionId="BkERXacpTr6UJMAyjHX-9g"
-------
-------
2024-08-19T17:44:44Z Detail: "Sending signed and encrypted [TripleDES] message with RSA key algorithm to {as2 identifier}..." level=1 connectionId="BkERXjcpTr6UJMAyjHX-9g" 2024-08-19T17:44:44Z Detail: "Waiting for response..." level=1 connectionId="BkERXacpTr6UJMAyjHX-9g"
2024-08-19T17:44:44Z Response: "422"
2024-08-19T17:44:44Z Result: "Error" "422"
Solution: Compare the AS2 identifiers on both Walmart RetailLink and your AS2 provider configurations, and fix any mismatches, register missing identifiers, etc.
Certificate misconfigurations can result in decryption failures, signature verification failures, etc. Misconfigurations can occur due to incorrect certificate configuration or if the partner’s certificate has been renewed or rotated after the expiration of the old certificate.
Usually in this scenario the following errors could occur.
Recipient’s system could send a negative MDN indicating a decryption failure.
During sending, the message is encrypted using the recipient’s public key (the certificate configured as the vendor certificate) as available to Walmart, so that only the recipient can decrypt the message using the corresponding private key. If an incorrect certificate is configured, Walmart will use that incorrect certificate to encrypt the message, and the recipient will be unable to decrypt it.
For example, if you are using MFT Gateway as the receiving system, the negative MDN will look like the one below.
MDN for Message-ID: <1467720327932609>
From: 08925485US00
To: MFTG-STATION
Received on: Sun Aug 25 18:00:40 UTC 2024
Errors encountered :
error: Decryption failure : Expected AS2 message for recipient with certificate serial number : 1724228925172 (191740d76f4) issued by : CN=MFTG_STATION,OU=AT,O=AU,L=ML,ST=WP,C=US which is the local identity. However, the received message was intended for : Serial number : 1710154259743 issued by CN=MOCK_CERT,OU=AT,O=AU,L=ML,ST=WP,C=US
Walmart reports a signature verification failure for the received negative MDN.
The recipient’ system can optionally sign the returned MDN using their private key, allowing Walmart to verify its authenticity using the configured vendor certificate (recipient’s public key). If this verification fails, Walmart cannot guarantee that the MDN is authentic or that it originated from the recipient. In this case, Walmart reports a signature verification failure for the received negative MDN.
2024/08/20 10:45:03 Run: type="API"
2024/08/20 10:45:03 Detail: "Using proxy http://10.10.197.60:8080..." level=1 threadId="kJruuii-iQY6LBdFGOworAw"
2024/08/20 10:45:03 Result: "Success" "Return status=0"
2024/08/20 10:45:03 Detail: "Connecting to http://service.mftgateway.com:80..." threadId="kJruuii-iQY6LBdFGOworAw"
-----------
-----------
2024/08/20 10:45:04 Detail: "Sending signed and encrypted [TripleDES] message with RSA key algorithm to {as2 identifier}..." level=1 threadid="kJruuii-iQY6LBdFGOworAw"
2024/08/20 10:45:04 Detail: "Waiting for response..." level=1 threadid="kJruuii-iQY6LBdFGOworAw"
2024/08/20 10:45:04 Response: "200 OK"
2024/08/20 10:45:04 Exception: "javax.mail.MessagingException: MDN signature verification error - Certificate chain in signed MDN is not trusted! Issuer: C=US,ST=None, L=None, O=Mock, OU=Prod,CN=MFT AS2 EDI; Serial#: 290741BD889 at com.cleo.lexicom.beans.as2bean.MDNParse.extractElements (MDNParse.java:371) at com.cleo.lexicom.beans.as2bean.MDNParse.
------------
-----------
2024/08/20 10:45:04 Result: "Exception" "javax.mail.MessagingException: MDN signature verification error - Certificate chain in signed MDN is not trusted! Issuer: C=US,ST=None, L=None, O-Mock, OU=Prod,CN=MFT AS2 EDI; Serial#:290741BD889"
2024/08/20 10:45:04 End
Walmart will send a negative MDN indicating a signature verification failure.
The recipient’s AS2 system will sign the message using the recipient’s private key, allowing Walmart to verify it using the configured recipient’s public key (vendor certificate). If an incorrect vendor certificate is configured on Walmart’s end, the signature verification will fail, resulting in Walmart sending a negative MDN with an error similar to the one given below.
signature certificate <sender's actual certificate> does not match verification certificate <certificate expected by recipient>
Solution: Verify that your AS2 certificate is correctly configured as the vendor certificate in the Walmart RetailLink end. The combination ({Issuer’s distinguished name (DN)}, {certificate’s serial number}) must match on both ends, but usually checking the serial number is sufficient.
Walmart will send a negative MDN indicating a decryption failure.
In this scenario, the recipient’s system will encrypt the message using the configured certificate for the Walmart partner. Since this differs from the Walmart certificate, they will be unable to decrypt the message, resulting in Walmart sending a negative MDN with an error similar to the one below.
Expected ... recipient with certificate serial number NNN issued by CN=ReceiverCN,...
However, the received message was intended for Serial number XYZ issued by CN=SomeOtherCN,..
Recipient’s system reports a signature verification failure for the received negative MDN.
The received MDN will be signed using Walmart’s private key. Since an incorrect certificate is configured for the Walmart partner on your side, the system will fail to verify the received MDN’s authenticity.
For example, in MFT Gateway, the MDN status of the sent message will be shown as ‘MDN Signature Verification Failed’.
Recipient’s AS2 system will send a negative MDN indicating a signature verification failure.
In this scenario, Walmart will sign the message using their private key, and the recipient will verify it using the certificate configured for the Walmart partner on their end (Walmart’s public key). If an incorrect certificate is configured, the signature verification will fail, resulting in the recipient’s system sending a negative MDN indicating that the signature certificates do not match.
If you are using MFT Gateway as your AS2 system, the negative MDN will look like this.
MDN for Message-ID: <CLEO-20240731_17434778989-00Q28H@08925485US00_Retail-F>
From: 08925485US000
To: MFTG-STATION
Received on: Sun Aug 25 19:57:27 UTC 2024
Errors encountered :
error: Signature certificate C=US,ST=None,L=None,O=None,OU=None,CN=Walmart doesn't match fingerprint of locally assigned signature verification certificate C=US,ST=None,L=None,O=None,OU=None,CN=MFTG-MOCK
Solution: Verify that the Walmart certificate from the Walmart Retail Link matches the assigned Walmart partner encryption certificate on your end.
Also you should be aware of Walmart’s certificate expiry notices, which they will send when their certificate is about to expire. If your certificate is expiring, you need to update it on Walmart’s side. It’s important to stay aware of this to avoid any errors due to certificate misconfigurations.
Error: Walmart will give an error similar to the one below when trying to upload it as the vendor certificate on Walmart’s end.
Upload certificate expiry date can not exceed 5 years from today.
Solution: Make sure you generate a certificate with a validity of around 5 years when creating a certificate for Walmart.
If you configure an HTTPS URL, Walmart will also select an HTTPS URL on their end. However, using an HTTPS URL is not required, as the AS2 protocol automatically encrypts and digitally signs all message payloads. Using HTTPS may cause errors on Walmart/RetailLink’s side when they try to transmit files to your AS2 system.
iaik.security.ssl.SSLException: Record version mismatch: 00
Note that this is a known limitation on Walmart systems when connecting with most of the AS2 systems.
Error: Walmart will provide an error similar to this.
The Walmart AS2 system is reporting an error while attempting to deliver one or more documents to your mailbox.
Mailbox ID: -
Company: -
AS2 Names: MFTG / 08925485US00
Mailbox Group Name: -
Error Description: Error - 400 Connection Failed (SocketException: Network is unreachable (connect failed)) Transfer failed: Connection failure!
Solution: This is most likely a temporary network issue on either end. It’s better to check with both parties to ensure that the network functionality is working correctly, and confirm if the issue persists.
Sometimes, even though the file is successfully received from Walmart, you might get an error like this in the MDN.
Result: "Error" "Sent and Received Message Integrity Check codes do not match"
MDN:
{
"message" : "Unable to retrieve receipt for transfer '604c9c69-9ceb-4fe8-b2b2-e0d696b46972'."
}
In this scenario, it’s better to recheck the configurations on both sides. If they are correct, check with Walmart and your AS2 provider to see if there are any issues on their end.
There could be more errors due to the AS2 connection operating over the unreliable HTTP protocol, so any error faced by the underlying network could affect the transmission of the message and MDN. The issue could be on either your side or Walmart’s side. In the case of this kind of error, you should first recheck if the AS2 URLs are configured correctly on both sides. If everything is correct, you will need to check with your AS2 provider or with Walmart.
You can also go through this common article, which describes possible AS2 connectivity errors and provides the necessary information to troubleshoot any transmission or network errors.
Even after establishing correct AS2 connectivity with Walmart, you may still encounter some EDI document-level or EDI misconfiguration errors. Let’s take a look at the most common types of these errors.
If you have not configured the relevant EDI specification for the incoming EDI message, your EDI system will throw an error indicating this. For example, if you are using the EDI Generator, the error will look like this:
Unknown document type: PO for partner: pub-Walmart
Solution: Verify that you have configured (added) the relevant EDI document type (EDI definition) for the Walmart partner.
If you have configured any one of Walmart’s ISA ID qualifier, ISA identifier, or GS code incorrectly on your end, the error will look something like this:
Unable to locate partner with AS2 ID: 08925485US00 and ISA: 08/925485US00 GS: 925485US00
Solution: Verify that Walmart’s ISA identifier and GS code are configured correctly on your end.
EDI X12 information usually includes segment separators, element separators, and so on. If these are not configured correctly according to Walmart’s requirements, you will receive errors for incoming EDIs. The error message will vary depending on the misconfigured value. Below are some error messages based on the misconfigured values.
Misconfigured element separator:
Parsing failed (0 OK, 1 error):SyntaxError: Failed to match <end-of-rules> at segment #1; found BEG*00*SA*1251251251**20110701
Misconfigured segment separator:
Failed to match Rule {mandatory 1:IEA - M/1} at segment #2; found S00 *240826*0659*;*00501*100100004*0*P*>
If you are using EDI Generator, you can easily avoid the errors mentioned above that might occur due to incorrect Walmart partner configuration by using the pre-configured Walmart partner setup in your EDI Generator. This setup includes all the correct configurations and EDI document types. You just need to import the partner and start processing the EDIs. If the partner version is updated, you can easily update it with one single click. This avoids the need to manually configure a partner for Walmart, minimizing or avoiding the errors discussed above.
When you process EDIs with Walmart, they will use the configured ISA/GS values on their end. If these are incorrectly configured, your EDI system will indicate an error. In EDI Generator, this error will be shown as follows:
Document does not match your organization's ISA/GS identifiers.
Solution: Verify that you have correctly configured the ISA ID qualifier, ISA identifier, and GS code on both the Walmart end and your end. Both configurations should match.
Thanura is a Senior Software Engineer at Aayu Technologies with nearly 1.5 years of experience mastering various products at Aayu. During this time, he has gained extensive knowledge of Aayu's diverse product line, particularly in B2B communications and cloud technologies. Away from the screen, he enjoys the thrill of watching cricket matches and cherishes moments spent with friends.
We are a US based company with Sri Lankan ingenuity majored in Cloud and Serverless technology based product engineering.
Our solutions power small businesses using our hosted SaaS solutions , to enterprises that run our software on-cloud and on-premise.
