TIA Portal V14 - Accessible Nodes Through VPN

Rob...

Lifetime Supporting Member
Join Date
Jul 2016
Location
Manchester
Posts
476
Currently working on a project, with TIA Portal V14.

Been doing a bit of searching and not come up with much. I'm having an issue with not being able to view any accessible nodes, however I can get online with the CPU and upload/download. I know other nodes are there, I can ping them.

Accessible nodes, does not show anything even when I'm actually online with the processor.

I am connecting to the CPU through a VPN (Ew on Cozy), has anyone had similar issues/ know a solution? I can only think that the VPN is blocking the mac address scanning Portal uses to find devices.

Currently running windows 7.
TIA portal V14
S7-1511 CPU

Any advice is much appreciated.

Rob
 
I guess that accessible nodes scans for MAC addresses. And that is not possible with VPN.
One has to ask, why even use the accessible nodes function ? If all devices and networks are setup, there is no need.
Even if it was possible to setup IPs via VPN, I would not dare to manipulate the network setup on a system that I am connected to via VPN.
 
I guess that accessible nodes scans for MAC addresses. And that is not possible with VPN.
One has to ask, why even use the accessible nodes function ? If all devices and networks are setup, there is no need.
Even if it was possible to setup IPs via VPN, I would not dare to manipulate the network setup on a system that I am connected to via VPN.

This is the first Siemens project I've set up with a VPN connection. First thing after testing I could ping the CPU and HMI was to see if Portal could see them. It can't.

It can however go online with the CPU, download/upload.

It can't go online with the HMI or perform an upload, but can download. Smartserver is fairly useful for monitoring the HMI.

Because I couldn't see any of the items in the accessible nodes window, I didn't think to just go straight to going online.

I wouldn't look at ever re-configuring IP addresses over a VPN.
 
As Jesper says accessible nodes uses MAC addresses so it will only work while on the same network via switches. As soon as you do any sort of routing you will no longer be able to view accessible nodes.
 
VPNs are usually Layer 3 (IPsec has IP in the name, OpenVPN is also layer 3), whereas the DCP scan is Layer 2 (MAC address only, no IP). As others have said, you would need to be directly connected.

There are two solutions to your problem, the second is a bit more hypothetical than the first.

1) You could use a L2TP VPN. These are much less common, but it bridges the Layer 2 MAC address communication across the VPN. I think I saw a device from ruggedcom that could do it, but I think it's mostly used in ISP class networking.

https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol

2) It's possible that there is a VPN gateway out there that also acts as a DCP bridge of some sort. I've never seen one, but your complaint is common enough that surely someone will make one sooner or later. It's possible that the solution to becoming a useful DCP bridge means you end up needing L2TP anyway.
 
Last edited:
It's not a complaint as such, as I can do what I need to.

When using Rockwell linx can search for IP addresses so I've never seen the issue. Maybe Siemens will develop a similar system. As you say, the price drop in equipment like this is making remote access a whole lot more appealing.
 
It's not a complaint as such, as I can do what I need to.

When using Rockwell linx can search for IP addresses so I've never seen the issue. Maybe Siemens will develop a similar system. As you say, the price drop in equipment like this is making remote access a whole lot more appealing.

Yeah, the difference is the layer 2 vs Layer 3 protocols.

Siemens/Profinet designed pretty much everything around a Layer 2 implementation (not based on IP addresses/not routable). It's theoretically more secure, but not being routable means the usability has been suffering more and more lately as I see systems with fancier and fancier networking setups.
 
Yeah, the difference is the layer 2 vs Layer 3 protocols.

Siemens/Profinet designed pretty much everything around a Layer 2 implementation (not based on IP addresses/not routable). It's theoretically more secure, but not being routable means the usability has been suffering more and more lately as I see systems with fancier and fancier networking setups.

where do you base this on?
in my experience once you set the ip adress and router/gateway adress you're good to go. then we can go online wireless if we want to (thats router-router-router...)
 
where do you base this on?
in my experience once you set the ip adress and router/gateway adress you're good to go. then we can go online wireless if we want to (thats router-router-router...)
Going online with PLC is different than Profinet IO communications.
Online can work with IP but for remote IO only IP is not enought. Profinet remote IO communications won't go throught managed switch with default settings. Online view still works if you know correct IP for PLC.
 
Last edited:
It's not a complaint as such, as I can do what I need to.

When using Rockwell linx can search for IP addresses so I've never seen the issue. Maybe Siemens will develop a similar system. As you say, the price drop in equipment like this is making remote access a whole lot more appealing.

RSLinx can't auto search for/find devices across a VPN either...

If you use the Ethernet/IP devices driver while connected to the local subnet, it will find devices on that subnet.

If you use the Ethernet/IP devices driver while connected via a VPN or across a router, it will not find anything.

If you use the Ethernet/IP devices driver while connected to the local subnet, it will find the devices and add them to the driver's device list. If you subsequently use that Ethernet/IP devices driver via a VPN, it will still find the devices, because it's found them before, and has them added to the list of devices it's actively trying to establish a connection to. But if you then add a new device to the network and try to find it via a VPN connection using the Ethernet/IP devices driver, you won't find it. The broadcast method doesn't work over VPN.

If you use the Ethernet devices driver while connected to a local subnet, or connected via VPN, or across a router, you have to add devices into the configuration manually, but it will find whatever you tell it to find (as long as it's actually there to be found, of course).

Doesn't help you with your actual problem, but just to fill in the picture a little :)
 
Going online with PLC is different than Profinet IO communications.
Online can work with IP but for remote IO only IP is not enought. Profinet remote IO communications won't go throught managed switch with default settings. Online view still works if you know correct IP for PLC.

Ah ok thanks, I get what you mean. But isn't that a setup issue?
 

Similar Topics

Hi everyone. Please help me to upload program from S7-1200 with TIA v14. I created new project, go to Online tab, select Upload devices as new...
Replies
0
Views
1,073
I am beatin gmy head against the wall trying to get my modbus comms working. I have a s7-1200 running tia v14, a cm-1241 comm card. I have...
Replies
22
Views
7,347
I am trying to commission a compressor that is using a s7-1200 to communicate rs485/modbus to a the compressor interface. My rs485 module is a...
Replies
2
Views
1,687
Is it possible to install Siemens Tia Portal V14 on a machine that already has V16 installed? Or do I need to create a virtual machine to install...
Replies
17
Views
8,817
Is anyone know how to change the state of Button and multistate indicator(for Verify changing in color and text) in TIA portal HMI while doing...
Replies
1
Views
1,307
Back
Top Bottom