VNC communication issues

I dont know if this really belongs here but it does relate to automation.

We have two networks that have PLCs and HMIs and the one my laptop is connected on so there is no issue. I can just type in the IP in TightVNC and look at the HMI. But with the other one it says it is actively refusing or rejecting my connection.

I am running E W O N ecatcher to communicate with another network that has PLCs and HMIs. The ecatcher works because I can ping the devices. But when I try to connect to the HMIs using TightVNC it refuses or rejects me.

several things come to mind.


1. your systems are on different ip addresses 255.255.255.0 vs 100.100.100.34 for example.
2. your systems are set up differently. one uses the admin password, the other requires user credentials, or is not set up for remote viewing.
james

They are on different IP addresses that why we have the E W O N to communicate with different subnets. But what you said about the remote viewing. Are you talking about the remote computer that I am trying to access? If so how do I set this up?

Can you draw a diagram illustrating physical connections and IP addresses? Might be easier to follow which devices can communicate with what. Also, check for a Windows Defender (or equivalent) firewall on the devices you're trying to remotely access.

What type of HMI is running the VNC Server ?

Are you certain that the HMI has the Default Gateway correctly configured for the local IP of the E-Catcher ? Is the E-Catcher the only connection from that automation network to the Internet or the rest of the enterprise network ?

Firstly, is the service on the HMI turned on?

Establish this, then trouble shoot, or you will be wasting hours and hours for absolutely no gain at all.

Panelviews, you turn it on from the windows CE control panel, Siemens, it needs to be done in the project.
Don't know about the rest.

MattMatt9 said:

But with the other one it says it is actively refusing or rejecting my connection.

Click to expand...

MattMatt9 said:

I can ping the devices ... when I try to connect to the HMIs using TightVNC it refuses or rejects me

Click to expand...

I assume the HMI is running on some kind of Windows operating system.


Assuming you have the right IP for the second HMI system and are getting through the right gateway*, so TightVNC client on your PC is attempting to connect to the right HMI system, this result means there is no network application** "listening" at the VNC port*** to which the TightVNC client on the PC is trying to connect. which usually means a VNC server application is not running on that HMI. It is possible that a VNC server application is running on that HMI but listening at a non-default port, or that your PC is configured to connect to a non-default port, or both, any of which would present the same problem, but those situations would be rare.


Another possibility is that the gateway from the PC to the network with the HMI is not configured to pass whatever port is being requested. In that case the gateway is actually doing the rejecting; the same could be true of the HMI.


To summarize, the possibilities in no particular order:

• Wrong IP for HMI system
  • Check configuration on HMI system
    
• Gateway rejecting VNC traffic to HMI system
  • Check gateway configuration,
    • Usually via web server to [gateway address] used by HMI system
    • Will require gateway credentials, probably known by IT dept.
      
• Also possible the HMI system firewall is blocking the traffic
  • Check firewall configuration on HMI system
    
• No VNC server application running on HMI system
  • Check running processes on HMI system
    
• Mismatch of port to use between TightVNC client and HMI's VNC client
  • Check configuration of VNC applications on both systems
    
  • On HMI system, [netstat -an] at a command line should show a line similar to [tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN]
    • the [:590x], or whatever port the HMI sytems's VNC server is using, is what is important
      

There may be other possibilities we have not thought of yet.








* the successful ping suggests the target "HMI" IP does exist, but does not guarantee it is the HMI system desired

** TightVNC server or another compatible VNC server

*** typically 5900, possibly 5900+N for display (or scrren) N; a.k.a. the RFB port

I think "drbitboy" is on to something.

Basically the automated line I am working on was put together by a third party and some things may have been locked on this specific network (some IP addresses, PLCs, etc.) because I cant view other HMIs on the network as well (refused). They have disbanded now so cant contact them so trying to figure it out on my own...

Leads me to believe that you said may be correct "Gateway rejecting VNC traffic to HMI system." How do I go about this specifically because the other possibilities you mentioned I think are good.

What is the infrastructure on the e w o n side, do you have a managed network or are the devices connected directly to the e w o n? If you are on a managed network, have you configured static routes on the e w o n?

I tried with a Cosy131 but that seemed to be a bit hit and miss so we replaced it with a Flexy which works fine. Of course with the static routing you need to make sure your traffic for that IP range gets routed through the e w o n by windows.

There is a setting in the e w o n, under system > communication > security, which will allow you to choose what type of traffic can access the WAN port, I suggest you set it to allow all and see if that works for you. You can then maybe drop it down to the next level and see if you can still connect.

So when I have eCatcher running, type in the IP of the 3WON in the address bar, log in and change it that way?

MattMatt9 said:

I think "drbitboy" is on to something.
.

Click to expand...

janner_10 said it first: make sure the server is running on the target system.

MattMatt9 said:

How do I go about this specifically because the other possibilities you mentioned I think are good.

Click to expand...

With most routers, there is a LAN side and a WAN side; the WAN side is the single connection to a different network/mask than the multiple devices, including the target system, on the LAN side. The web server is usually most accessible from the LAN side; again, you may need the "admin" account name and password for the router to figure this out; the "admin" account name and password may be the default for the router, which is probably findable via The Google.



This all assumes it is set up similar to a soho router, but without NAT; so I could be way off here, depending how it is actually set up.



Putting and configuring your PC on the LAN side of the router will take the router out of the problem; if you can VNC from there that suggests the router is the problem.



However, you did mention that you were able to ping the target system, which suggests there is at least some connectivity to the target device.


Without a detailed network layout (router models, IPs, netmasks, etc), I have to be honest that I am just guessing.


There is not adequate space to teach the syllabus of a networking course, but if you can recognize that c0a80125 and 192.168.1.37 are the same IP address, and that ffffff00 and 255.255.255.0 are the same netmask, and why 192.168.1.0/24 means ffffff00 & c0a801XX => c0a80100, where & is a bit-wise AND operator and X is any hexadeimal digit, then you can figure out most network issues on your own. If not, find someone who can.


My biggest worry would be that the now-defunct contractor left this site with a router for which the administrator login credentials are unknown; you best bet would be to contact the manufacturer to see if there is a back door, because a factory reset without knowing the current router configuration is a whole 'nuther ballgame.

MattMatt9 said:

So when I have eCatcher running, type in the IP of the 3WON in the address bar, log in and change it that way?

Click to expand...

Yes you need to log in to the e w o n to make that change I was talking about.

drbitboy is on the money about getting a network map sorted. You need to know how it hangs together to do any meaningful diagnosis.

You still haven't mentioned what brand of HMI you are working with. Follow janner_10's advice and make sure that the VNC service is enabled on the HMI itself.

janner_10 said:

Firstly, is the service on the HMI turned on?

Establish this, then trouble shoot, or you will be wasting hours and hours for absolutely no gain at all.

Panelviews, you turn it on from the windows CE control panel, Siemens, it needs to be done in the project.
Don't know about the rest.

Click to expand...

On AB PanelView Plus panels, this is not enabled by default. You have to exit to the Windows CE environment and enable it through the control panel. I can't speak for any of the other HMI brands.

I am working with a VersaView 5400 HMI. The server is on the HMI and running. Checked the firewall and it is allowing vncviewer.

Can you physically move your laptop to the 2nd network, change subnet as needed, and see if VNC runs okay. If it does then you can focus on the E W O N /router as your issue.