VPN and AB Controllogix and PLC's

[odogg311]

The company I work for has all of the controllers on the company network (10.x.x.x IP's) The controllers are PLC 5's and controllogix's. The controllogixs have ENBT cards and the PLC 5 have the ethernet side card. The company has a symantec vpn firewall/server. I installed a symantec vpn client on my laptop and I can connect to this network from home via vpn. (qwest dsl with a actiontec modem/router) My home IP is also non-routable 192.168.x.x. When connected to the company network from home I can ping the ENBT cards and get a response every time. But when trying to browes the cards in RSLinx (classic) all I see is a yellow ? mark with a red X through it. If I take that same laptop and plug into the company network directly it works fine. Just not via vpn.

I had the IT guys open ports 44818 and 2222 for tcp/udp communications and I ran a port scanner on some of the ENBT cards (while I was connected vpn) and I could see that the ports were indeed open. For some reason I still cannot browse the cards or get connected through RSLinx. If anyone has something I could try or what the problem might be I would greatly appreciate any help.

 

[Contr_Conn]

Make sure you are using Ethernet Devices driver

On our VPN Ethernet/IP driver is not going through.

 

[kamalaitounejjar]

In RSWho, what is the Error status for the cards?
If you get "Comm Error - 01E00204" status for the cards have a look on this link:
http://domino.automation.rockwell.com/applications/kb/RAKB.nsf/0/FA44BE049DBBE4D985256D3D005222B6?OpenDocument

 

[odogg311]

I am using ethernet devices, I even tried remote devices via linx gateway. That seems to be the error number I am getting but how to fix it I am not sure. I double checked to make sure ports 2222 and 44818 were still open in the vpn firewall and they are. I am going to try and see if maybe it's my dsl router that is blocking the packets.

 

[TConnolly]

Can you enter the IP address of the ENBT into a web browser and view the web page for any of the ENBTs?

 

[averytc]

Check that IGMP is enabled thru the VPN. It is common for security to disable that function, but is necessary for Ethernet-IP.

 

[odogg311]

Yes I can enter the IP of a ENBT card into IE and it brings up the web page for that card. I will ask them to enable IGMP (whatever that is) and try again.

 

[averytc]

Sorry for the lack of detail on the previous post. IGMP Snooping is used for multicast communication, and is required on a switched network with AB PLCs. It’s been a while since I set this up on our network, but I remember it had to be enabled. When we got VPN access I had the same problem and our corporate IT would not enable any multicast function. They had me buy another router to replace a bridge between the industrial and corporate network. I’m not sure how it all works, but it does. Also, my home network is 192.168… non-routable too. Hope this little bit helps.

 

[Ken Roach]

I think you'll find something about the VPN circuit is not allowing the RSLinx queries through, or not allowing the replies back.

I recently did a very in-depth investigation of a VPN installation for a client and found that his Cisco PIX515 firewall was interpreting RSLinx device-type discovery as a port scanning attack and blocking it.

Sometimes you just have to get out the heavy guns on this sort of project; put an Ethernet tap or hub on your automation network and start running protocol analyzers.

Run RSLinx locally to see what its traffic looks like. Then run it across the VPN and look to see how far the browse queries get.

Control_Conn is exactly correct; only the Ethernet Devices drive will work through a VPN circuit.