Communication problems between the OPC UA server on ewon flexy 201 and the OPC UA KepwareServer client when migrating from firmware 12.1s0 on ewon flexy to firmware 14.6s0

Hello

We are working on an application where there is an ewon flexy 201 that reads through its LAN port from an M251 PLC its process variables are read from I/O SERVERS MODBUS, they are displayed correctly in the EWON.

The publication of the variables to the SCADA (KepwareServer) is done with the OPCUA protocol, in the Ewon flexy 201 the OPC UA Server is declared, the Scada the OPC UA Client.

Declaring the same user in the OPC UA server and in the OPC UA client, the firmware used in the Ewon flexy 201 is version 12.1s0.

We test the open communication ports in the network from the Scada PC, verifying that the WAN address port is open.
imagen

The variables are visualized without problems in the SCADA.

The customer has not asked to update the Ewon flexy 201 firmware to version 14.6s0. With a new unconfigured Ewon Flexy we have updated to firmware version 14.6s0, performing the same configuration as Ewon Flexy with version 12.1s0.

But the results have not been correct, because when trying to export the variables in KepwareServer it gives us an error when verifying the port test, it is verified that it is not open, despite having the same configuration.
imagen

There are problems when migrating to firmware 14.6s0, because we are working with ewon flexy 201 and with the same configurations.

By default the Flexy with firmware 13.0 and above will not respond to connections on the WAN port. Please make sure to allow this traffic by changing ‘WANitfProt’ to 2 in the comcfg.txt settings (System > Setup > Storage > Edit COM cfg).

Hello

Changes have been made, which has been suggested to us as shown below the WAN port.
imagen

We verify the configuration of the OPC UA server in Ewon flexy 201
imagen

The ewon flexy 201 is reset, the first thing we do is a ping to the WAN port, verifying that it responds.
imagen

We carry out a test on the open communication ports in the network from the Scada PC, verifying that the WAN address port is not open as shown in the following figure, maintaining the closed port condition, although the port has been modified. indicated parameter.

imagen

This test in not accurate. When WANitfProt is set to 2 there are no blocked ports. You should be able to verify this from the pfsense command line using the command:

nc -v [ewon WAN IP address] 44818

FYI, your screenshots are too blurry for me to read. This is what they look like to me:

Can you send me better screenshots and a backup of the Ewon with the Support Files?

Also, please make sure you are following these instructions:

KB-0265-00 - Publish tags in OPC UA

AUG-0064-00 - OPC UA Server

Hello

The command nc -v [172.18.236.136] 4840 is executed, according to your instructions.

imagen 1

How can you check the failed connection.

however we carry out tests with port 502, verifying that it is open.

The wan address of the ewon flexy 201 is pinged and there is a response.

In the previous figure it can be verified that the port of the OPC UA server was modified by 48020 and the result was port failure.

We attach the configuration backups as you recommended.

MOVED TO STAFF NOTE (543.5 KB)

Yes, something is definitely not right.

I’m thinking that either:

  1. The update may have caused something in OPC UA to break. I would recommend factory resetting the Ewon and then reconfiguring it.
  2. There is code in the cyclic section of the BASIC IDE. This is known to cause unpredictable behavior. The code should be moved to the Init section and a timer created to run it (see TSET and ONTIMER commands in BASIC manual).
  3. NATitf is set to 0 which disables NAT translation. This may be causing routing problems. Please set it to 3 for NAT on LAN (default), or if your LAN devices need WAN access, set it to 2 (must use Ewon as default gateway for LAN devices in this case).

FYI, the backup did not include the support files. Make sure to check the box “Include Support Files” so that I can see the device logs next time.

Hello

We attach the backup of the configuration, which includes the support of the files

eWONincludesupport.tar (51 KB)
In this configuration, the recommendations given in point 1 and point 3 of your previous message were made.

The result after resetting, modifying the parameters that are indicated, they continue to show that the port is closed

We hope that when the configuration sent is analyzed, it can indicate other recommendations.

Can you make sure that you have the OPC UA Server enabled under System > Main > Net Services > OPCUA?

I just tried this with it disabled and then with it enabled and it shows the same behavior when it’s disabled, but connects when it’s enabled:

image

hello

We have made a save without enabling the OPC UA server in the ewon flexy sending the save.

MOVED TO STAFF NOTE (183 KB)

In the following figure it is verified that the error that shows us first is time out and then port rejected.

however port 502 is open.

We attach below the save with the enabling of the OPC UA server in ewon flexy 201.

In the following figure we can see that the result with OPC UA server enabled is port rejected and port 502 for Modbus protocol enabled

Hello, Can you try the second backup again, It looks like the file might not have been posted correctly into the system.

Hello, I am attaching the save with the OPC UA server enabled

MOVED TO STAFF NOTE (182 KB)

You appear to be using a cellular modem and you are trying to connect to the WAN IP. Do you have a virtual network setup with you ISP?

If not, the reason that you can’t connect is because your ISP (the cellular company) is not providing you with a public IP address. 172.18.236.136 is a private IP address.

What I don’t understand is how you are able to ping 172.18.236.136 and how you are able to connect to port 502. Can you please fill us in on the rest of the story?

Hello

There is static routing with private IP addresses, at the country level, only public ISPs. For security issue.

In the printscreen you sent us, you can verify which port 4840 is open, using private IP 192.168.x.x

The analysis that you propose to us, at the time we discussed it, but it stopped being a problem because in the Ewon Flexy 201, as we have indicated in our exchanges, port 4840 is open in the equipment with the 12s0 firmware.

Now the question arises if we correctly performed the firmware upgrade, when we did, we accessed the site, but perhaps not everyone was there.

Even the figures with the pings made from the pfsense we send it to you so that you can see that the network configuration allows us to do the ping.

Even always with port 502 open.

I have an Ewon Flexy here. If I make sure that WANitProt is set to 2 (reboot) and OPC UA is enabled, I can connect to port 4840 on the WAN:

image

image

If you cannot connect to port 4840 with the same settings, there is an issue with the port being blocked by a router or switch or at the ISP level.

Hello

We have made the recommendations provided, as can be verified in the salvoes sent.

Just remember that with firmware version 12.1s0, we have no problems opening the port on this same network platform and implemented security, our problem appears when migrating firmware version 14.6s0, however we will review our permissions with port 4080 in the platform implemented.

We will also carry out the entire configuration process with a ewon flexy 203 that we have in stock and we will send you the results.

OK. You can try the same test that I did above to confirm that the Ewon is not closing the port. Just temporarily set it up with an Ethernet WAN and connect a laptop directly to that WAN and open the port 4840. This will prove that when OPC UA is configured, port 4840 is open.