Hi,
We are trying to troubleshoot an issue where whenever our OPC client on ignition sends a request to renew the Secure Channel to an OPC server on Siemens S-7 1200 PLC, the OPC server does not respond for anywhere from 9sec to 14sec.
Since the request to renew secure channel is sent out every 45 minutes ( 75% of security token life of 1 hour) we have to WAIT a lot to debug and want to reduce Lifetime down to 5 minutes.
This value isn't configurable in Ignition.
The channel lifetime is something of a negotiation, and the server has a chance to revise the value requested by the client. Can configure the maximum allowed value for your server down to 5 minutes?
Hi Kevin,
This what we have been able to zero down the problem too:
Establishing an OPC UA connection with a security policy other than "No Security" on Siemens S7 OPC UA server requires Ignition OPC UA client to renew the Secure Channel at an interval of 45 minutes.
UA Part 4: Services - 5.5.2 OpenSecureChannel (opcfoundation.org)
Our Siemens PLC CPU/OPC server takes ~6-14 seconds to establish/secure/renew a connection/channel as per our WireShark Logs.
For our setup we have chosen Basic256Sha256-Sign&Encrypt security policy for OPC UA secure channel on the PLC and exchanged self-signed OPC UA certificates between the client and server.
Normally, OPC UA should use asymmetric encryption to secure the initial connection. Once the channel is secure, then in order to work around the slower communication performance with asymmetric encryption, a symmetric encryption key is exchanged for communications.
Exploring OPC UA - Symmetric vs Asymmetric Encryption (softwaretoolbox.com)
Is this also true for renewing a secure channel using OpenSecureChannel service? Is the renewal of a secure channel using asymmetric encryption or symmetric encryption ?
Renewal of secure channel takes place at the communication layer level:
What we have observed is that the longer the length of the OpenSecureChannel request message from Ignition (PC) to PLC for “renewing the existing Secure Channel”, the longer it takes for PLC’s CPU to process and respond to the request. In our setup, no data is received from PLC OPC UA Server while it’s processing the renewal request. All publish request to the PLC during this “request and response window” go unanswered and all data/commands being sent to the PLC are lost.
We have found the length of Secure Channel renewal request message to vary between two identical machine with same OPC UA Server Security settings.
Wireshark analysis has divulged the following results:
Secure Channel renewal request message packet length of 1768 bytes for Basic256Sha256 security policy takes 16.59 seconds for PLC OPC server to process and respond to on machine 1.
Secure Channel renewal request message packet length of 308 bytes for Basic256Sha256 security policy takes 7.64 seconds for PLC OPC server to process and respond to on machine 2. Wireshark logs for the corresponding frames attached.
Secure Channel renewal request message packet length of 186 bytes for No security policy takes 10 milliseconds for PLC OPC server to process and respond to on machine 1.
We don’t have an issue with session timeouts or with setting up a session as listed here "BadTimeout during OpenSecureChannel" message in the OPC UA client when trying to... - ID: 109825991 - Industry Support Siemens .
Changing max session timeout and max number of OPC UA sessions setting in OPC UA on TIA has had no effect either. Our Communication Load setting in TIA is at 50%.
What we want to know:
We are running 180 instances of Ignition edge on 180 PC connected to 180 S7-1200 PLC's
It's probably a limitation of the hardware/CPU. RSA encryption is slow for embedded devices. Using a weaker security policy may speed it up. This is why ECC-based security policies have been in development for future OPC UA versions.
The only thing that would change the size of the packet is the size of the client application instance certificate. It seems unlikely that the certificate size would vary greatly between Ignition client's unless maybe on one of your gateways you're using a CA-signed certificate and the other a self-signed certificate.
I don't know if it's possible, you'd have to ask Siemens support.
Use a weaker security policy, not sure there's anything else you can do.
You don't need to do this, this is already how OPC UA communication works. Asymmetric encryption is only used for secure channel creation and renewal.
This capture doesn't show a packet length of 308, it shows a packet length of 1714. You have to look at the reassembled data.
Hi Kevin,
Thanks for clarifying all our questions!
One follow on question:
Ignition doesn't have Profinet drivers, only S7 over ethernet.
There are major trade offs involved when choosing between the Siemens PLC's built-in OPC UA server and Ignition's S7 driver - primarily that there is no browsing or symbolic access. There's also no security or encryption when using S7, and if that's acceptable, you might as well just turn it off for the OPC connection.
Hi Kevin,
Do you know of any way we can encrypt the data being sent to S7 over ethernet when using Ignition S7 drivers for Siemen, if we do decide to switch from OPC to Ignition's S7 driver?
Any Plugin or something else ?
No, not possible.
Hi Kevin,
Getting Started with the Siemens S7 Plus Ethernet Driver w/Security - YouTube
At 2:30 mark it says "Siemens S7 Plus Ethernet" driver allows for secure communication
So I guessing Ignition supports "Siemens S7 Ethernet" driver and not "Siemens S7 Plus Ethernet"?
Are there any plans to support "Plus" drivers anytime soon?
Ignition 8.3 will include a new “S7 Plus” driver that does symbolic access and will support security if enabled on the PLC.
