OPC-UA connection on VPN

I trying to use Ignition to connect an OPC-UA server from a remote site through VPN but it is faulted with “java.net.ConnectionException: Connection refused: connect” message on the OPC connections status.

I have configured the OPC-UA connection like usual but it is not working. Hope someone can help or guide me to the correct way.

I have attached the network architecture.


dumb question but can you ping the server hosting kepware? is port 49320 open across both firewalls? may help to post screenshots of your opc-us config from the ignition webpage.

also a screenshot showing your kepware opc-ua config would be helpful.

I can ping the both host and client. Firewall allow all ports. Settings on Ignition OPC UA connection and kepware UA configuration are the default one.

Will attached screenshot tomorrow.

yeah take some screenshots of both configs.

You probably need to use the endpoint override setting when configuring the UA connection in Ignition. Use the external IP address you’re using to connect to Kepware.

Possible to give an example what should i insert into the host override in the advance setting?

Thank you.

Please find config screenshot below




if you go to the trusted client section in kepware do you see the ignition client? it should give you an option to accept the connection if so.

one thing you can do is edit both of your urls on kepware and check off none on the security policies(make sure and reinitialize kepware after making this change). also change both security policy and message mode in ignition to none and see if it connets then. then you would know if it is something related to the encryption/security.

you can also download uaexpert unified-automation.com/produ … xpert.html to help troubleshoot.

If you check the “Show Advanced Properties?” checkbox there will be an endpoint address override property that you’ll put 192.168.201.101 into as well.

diat150’s advice will also have to be done as well. As soon as Ignition is actually able to make a connection its client certificate will show up in Kepware and has to be marked as trusted.

Thanks all for the guide, it works after i used the host override.

I have a similar problem, but we must override the host address and the port number.

Pls, check the scheme. I have Modem Gateway to which are connected the several remote modem. At the Gateway created several connection that forwarding local network traffic to the remote station on the specified port.

I set up the following connection to the remote OPC UA server:
Host: 192.168.1.30
Port: 62000
Security Policy: None
Message Security Mode: None
Host Override: 192.168.127.200 (also tried the OPC UA server name WIN-EIECJ39OV0I)

Connection is faulted.

Here is wrapper log:

DEBUG [ConnectionUtil                ] [09:41:26,183]: Getting endpoints from "opc.tcp://192.168.1.30:62000"
DEBUG [ConnectionUtil                ] [09:41:28,230]: Received endpoint: opc.tcp://WIN-EIECJ39OV0I:4845 - [SignAndEncrypt:Basic128Rsa15:http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary]
DEBUG [ConnectionUtil                ] [09:41:28,231]: Received endpoint: opc.tcp://WIN-EIECJ39OV0I:4845 - [None:None:http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary]
DEBUG [ConnectionUtil                ] [09:41:28,231]: Selected endpoint: opc.tcp://WIN-EIECJ39OV0I:4845 - [None:None:http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary]
ERROR [OpcUaConnection[ServerUA]  ] [09:41:28,232]: Error connecting to server: StatusCode[Severity=Bad, Subcode=Bad_ConnectionRejected]

What can be done other than specifying the same port number on the Gateway and on the OPC UA server ?

HooK’a, it looks like you’ve got a network topology that the current connection settings can’t handle.

I think the best we can do is modify the host override setting to also allow you to specify a port if necessary. This would be done for the 7.8.4 release.

[quote=“Kevin.Herron”]HooK’a, it looks like you’ve got a network topology that the current connection settings can’t handle.

I think the best we can do is modify the host override setting to also allow you to specify a port if necessary. This would be done for the 7.8.4 release.[/quote]

Kevin.Herron, Could you add this feature in 7.7.x ?