Please not RADES.

We have an office VPN and in the office are several online Micrologix PLCs. When I connect from home to the VPN, I can’t get RSLinx to start up. It just sits there saying “checking Activation” and never starts. If I start RSLinx before connecting to the VPN, it start instantly, but then after connecting to the VPN it only looks at my client computer and thus doesn’t see the office PLCs.

I called Allen Bradley (I am a support customer) and they told me this was “hard” and said I should Google 9300 RADES. Well, I did and RADES appears to be both old and even more difficult.

Any advice on how to solve this problem?

narlin

I think i tried that, but i will try again. I'm not positive that i have internet connection thru the VPN when it failed. Sometimes the VPN connects "internet access" and sometimes it connects "no internet access".

You're really looking at at least two separate problems.

First, let's talk briefly about the Activation problem.

Did you create the *.LIC file using the hardware ID from a network interface, or from the hard drive ? I always use the hard drive Volume ID because network interfaces frequently get disabled and become invisible to the parts of the OS that FT Activation uses.

FactoryTalk Activation is also tricky because it uses TCP Port 27000, even if it's trying to talk to a FT Activation Server that's on the local machine. If your VPN is interfering with that, that might be why you can't activate once it's connected.

Next, let's talk about IP addresses.

I've found VPN's work poorly when the IP addresses on the Remote side are the same range as the ones on the Local side.

If your home network is 192.168.1.x and your office network is also 192.168.1.x, the VPN won't know where to tunnel things to. If the office is 10.10.4.x and home is 192.168.1.x, it will.

My first steps of PLC connectivity are always:

1. Try PING.
2. Try HTTP. Most RA devices have an embedded web page.
3. Try TCPING. Great command-line utility from Eli Fulkerson. EtherNet/IP uses TCP Port 44818.
4. Try RSLinx. Experiment with the Ethernet Devices driver (try the ":EIP" suffix). The EtherNet/IP driver usually can't browse through a VPN because it uses a broadcast packet.
5. Get out Wireshark and start really wrenching on things.

“Did you create the *.LIC file using the hardware ID from a network interface, or from the hard drive ? I always use the hard drive Volume ID because network interfaces frequently get disabled and become invisible to the parts of the OS that FT Activation uses.”

My license file is on a dongle. It wasn’t plugged in at the time, but was good based on the 7-day re-activation policy.

1. Ping who? I was at home. I pinged the office network successfully.
2. I did establish communication with one of the 1400s over firefox. I happened to know its internal NAT address. So once connected by VPN I typed into the browser and used the embedded web page successfully.
3. ??? I’ll google it.
4. Please be a little more specific – (this one may be hard go google). (try the ":EIP" suffix).
Do you mean to try something other than Ethernet/IP as in some other driver? That is what I read.
5. I’ve used Wireshark before. I may need to brush up a bit. Do you realize the last time I was in school a slide rule was required to perform calculations.

I’m not planning to give up. I set up the office VPN, and have every intention of getting this to work.

Being able to see the MicroLogix 1400 embedded webpage is great news; that means the basic IP connectivity is OK to the controllers.

TCPing is here: http://www.elifulkerson.com/projects/tcping.php

It's a command-line utility; you open up a CMD window, navigate to the directory that TCPing is in, then type something like "TCPING 192.168.1.10 44818".

What this does is prove that the firewall/VPN/network is allowing your computer to make a TCP Connection on TCP Port 44818. That's the TCP Port used by the Rockwell EtherNet/IP protocol.

There are two main drivers for Ethernet in RSLinx Classic: the "Ethernet Devices" driver and the "EtherNet/IP" driver.

The Ethernet Devices driver requires you to enter the IP addresses or Host Names of each of the PLC interfaces.

If you add :EIP to the end of the IP address, like "192.168.1.10:EIP" in the Ethernet Devices configuration, RSLinx will skip the step it usually takes in determining if the device is an old PLC-5E or SLC-5/05 and go right to treating it like a modern MicroLogix/ControlLogix Ethernet port.

This is important because the method RSLinx uses to tell the difference looks like a port probe to some firewall software, and the replies get blocked.

The EtherNet/IP driver uses a broadcast packet to browse the network. I have never seen this work correctly over a VPN, so I don't use it. Similarly, I have to set up the network schema for RSLinx Enterprise manually or previous to connecting with the VPN, because it uses a similar broadcast mechanism for browsing.

TCPING is proving that the firewall is blocking access to 44818. I can go into the router settings and allow access, but to whom/what? Should it be directed to one of the Micrologix?

C:Users\Admin>tcping 192.168.1.1 44818

Probing 192.168.1.1:44818/tcp – Socket is not connected (10057) time = 203.735ms

I’ll get to your Ethernet “:EIP” suggestion, but it sounds like I best solve the 44818 thing first.

by & by, there are routers on both ends of this communication. I assume that 44818 applies only to the office end where the PLCs are even though the RSLinx resides on my laptop at the home end.

This is where it gets tough. A VPN is supposed to open a "tunnel" from one network to the other, but frequently the VPN introduces another layer of filtering.

Is your home router an ordinary DSL/Cable Modem-Router combination device, or something more complex ?

Is the VPN a Microsoft client-to-Server sort of VPN, or is there a VPN appliance at the corporate end ?

VPNs are often opened only for certain types of traffic; HTTP, FTP, file transfer and sharing, printing, etc.

You're going to have to figure out which router or part of the VPN is blocking Port 44818.

This might involve some troubleshooting with Wireshark to see if the TCP Port Open request is getting to the MicroLogix and the reply is being blocked, or if it's not even getting there.

I recommend against simply opening TCP Port 44818 wide, or pointing it from the outside to a single address inside. This is frequently done, but is a serious security hazard.

Is your home router an ordinary DSL/Cable Modem-Router combination device, or something more complex ? OK. Lets slightly alter the situation to look like reality. The office router is a Fios (fiber optic) Actiontec, over which I have control. The home router is a AT&T WiFi connection at a coffee shop (no access to router) or sometimes something else. I have good access to 3 different routers (with complete access) but only 1 internet connection – the one at the office. Sooo – we don’t usually talk about the home router.

Is the VPN a Microsoft client-to-Server sort of VPN, or is there a VPN appliance at the corporate end ? The VPN is a “VPN Server” on a Win 7 Professional desktop computer. The laptop has the VPN Client. I often test the router connection using an iPhone as the VPN client. The VPN is a PPTP type, which means that both routers have to be running the GRE protocol. I found that my local library (another home site) doesn’t have the GRE so it fails.

VPNs are often opened only for certain types of traffic; HTTP, FTP, file transfer and sharing, printing, etc. The router I tested for port 44818 is the one at the office.

You're going to have to figure out which router or part of the VPN is blocking Port 44818.
I would have to assume (but may be able to test with Wireshark) that the office router is blocking 44818. Indeed, I know it is.

This might involve some troubleshooting with Wireshark to see if the TCP Port Open request is getting to the MicroLogix and the reply is being blocked, or if it's not even getting there.

I recommend against simply opening TCP Port 44818 wide, or pointing it from the outside to a single address inside. This is frequently done, but is a serious security hazard. I may open it briefly, long enough to show myself that opening it correctly will solve the problem. I would guess that it could be opened to the VPN Server without too much risk if it is closed again a short time later.

Finally, it is slow to debug this because I am never simultaneously at home and the office. I am working on that. It’s like multi-tasking in space.

Finally, it is slow to debug this because I am never simultaneously at home and the office. I am working on that. It’s like multi-tasking in space.

Click to expand...

For thing like testing from both sides of a connection, you can use something like logmein (http://www.logmein.com) or Vnc (http://www.tightvnc.com). Both are free for small installations.

Stu....

Well, if you fail to make a connection and you need it badly, you can use a hardware solution instead.
Look up for ***** routers. They can be used to program a PLC over ADSL/GPRS using dedicated VPN connection. No fixed IP is needed.