Scribd
Upload
36 views34 pages

GS SCALANCE M800 Connection Check 76

Uploaded by

ranggakristanto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
36 views34 pages

GS SCALANCE M800 Connection Check 76

Uploaded by

ranggakristanto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Connection Check

Preface

Configuring checking the


connection 1
Configuring fallback for
connection 2

Connection Check

Getting Started

07/2020
C79000-G8976-C574-02
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.

DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION
indicates that minor personal injury can result if proper precautions are not taken.

NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:

WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.

Siemens AG Document order number: C79000-G8976-C574-02 Copyright © Siemens AG 2019 - 2020.


Digital Industries Ⓟ 06/2020 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Preface

Further documentation
● Operating instructions
These documents contain information on installing and connecting the products and on
approvals for the products. The configuration and the integration of the devices in a
network are not described in these instructions.
– SCALANCE M874, M876
Entry ID: 74518712
(https://support.industry.siemens.com/cs/ww/de/view/109475909/en)
– SCALANCE M812, M816
Entry ID: 90316607
(https://support.industry.siemens.com/cs/ww/de/view/90316607/en)
– SCALANCE M804PB:
Entry ID: 109759601
(https://support.industry.siemens.com/cs/ww/en/view/109759601)
– SCALANCE M826:
Entry ID: 99450800
(https://support.industry.siemens.com/cs/ww/de/view/99450800/en)
– SCALANCE S615:
Entry ID: 109475909
(https://support.industry.siemens.com/cs/ww/de/view/109475909/en)
● "Web based Management" configuration manual
This document is intended to provide you with the information you require to commission
and configure devices using the Web Based Management.
– SCALANCE M-800:
Entry ID: 109751635
(https://support.industry.siemens.com/cs/ww/de/view/109751635/en)
– SCALANCE S615:
Entry ID: 109751632
(https://support.industry.siemens.com/cs/ww/de/view/109751632/en)

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 3
Preface

● Configuration manual Command Line Interface


This document contains the CLI commands supported by the devices.
– SCALANCE M-800
Entry ID: 109751634
(https://support.industry.siemens.com/cs/ww/de/view/109751634/en)
– SCALANCE S615
Entry ID: 109751633
(https://support.industry.siemens.com/cs/ww/de/view/109751633/en)
● Industrial Ethernet Security – Basics and Application
This document contains information about working with the SCT (Security Configuration
Tool).
Entry ID: 56577508 (https://support.industry.siemens.com/cs/ww/de/view/56577508/en)
● SIMATIC NET Industrial Ethernet Network manual
This document contains information on other SIMATIC NET products that you can
operate along with the devices of this product line in an Industrial Ethernet network.
Entry ID: 27069465 (https://support.industry.siemens.com/cs/ww/de/view/27069465/en)
● Introduction to Industrial Remote Communication
In this entry, you can find an overview - arranged by topic - with links to the most
important entries on Industrial Remote Communication in the Siemens Industry Online
Support.
Entry ID: 64721753 (https://support.industry.siemens.com/cs/ww/en/view/64721753)

SIMATIC NET manuals


You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online
Support:
● using the search function:
Link to Siemens Industry Online Support
(https://support.industry.siemens.com/cs/ww/en/ps)
Enter the entry ID of the relevant manual or the article number of the device as the
search term.
● In the navigation panel on the left hand side in the area "Industrial Communication":
Link to the area "Industrial Communication"
(https://support.industry.siemens.com/cs/ww/en/ps/15247/man)
Go to the required product group and make the following settings:
"Entry list" tab, Entry type "manual"

Training, Service & Support


You will find information on Training, Service & Support in the multi--language document
"DC_support_99.pdf" on the data medium supplied with the documentation.

Connection Check
4 Getting Started, 07/2020, C79000-G8976-C574-02
Preface

SIMATIC NET glossary


Explanations of many of the specialist terms used in this documentation can be found in the
SIMATIC NET glossary.
You will find the SIMATIC NET glossary on the Internet at the following address:
50305045 (https://support.industry.siemens.com/cs/ww/en/view/50305045)

Security information
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be
connected to an enterprise network or the internet if and to the extent such a connection is
necessary and only when appropriate security measures (e.g. firewalls and/or network
segmentation) are in place.
For additional information on industrial security measures that may be implemented, please
visit https://www.siemens.com/industrialsecurity
Siemens’ products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customers’ exposure
to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under https://www.siemens.com/industrialsecurity

Firmware
The firmware is signed and encrypted. This ensures that only firmware created by Siemens
can be downloaded to the device.

Trademarks
The following and possibly other names not identified by the registered trademark sign ® are
registered trademarks of Siemens AG:
SCALANCE, SINEMA, KEY-PLUG, C-PLUG

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 5
Preface

Connection Check
6 Getting Started, 07/2020, C79000-G8976-C574-02
Table of contents

Preface ........................................................................................................................................ 3
1 Configuring checking the connection................................................................................................ 9
1.1 Introduction ......................................................................................................................... 9
1.2 Checking a connection with one destination address ......................................................... 10
1.3 Monitoring a connection with 2 destination addresses ........................................................ 13
1.4 Monitor two connections with 2 destination addresses each ............................................... 15
2 Configuring fallback for connection ................................................................................................ 19
2.1 Fallback for Internet connection ......................................................................................... 20
2.1.1 Creating a route and firewall .............................................................................................. 21
2.1.2 Configure fallback function ................................................................................................ 22
2.2 Fallback for connection to SINEMA RC.............................................................................. 25
2.2.1 Introduction ....................................................................................................................... 25
2.2.2 Configuring a VPN connection on the SINEMA RC Server ................................................. 27
2.2.3 Configuring VPN connection on the device ........................................................................ 28
2.2.4 Configure fallback function ................................................................................................ 30
Index ......................................................................................................................................... 33

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 7
Table of contents

Connection Check
8 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring checking the connection 1
1.1 Introduction
You can check your connections with the ping test on the "Connection Check" page. The
page is divided up into the tables "Group" and "Action".
In the "Group" table, you configure the destination addresses used as the reference for the
accessibility. During the ping test, the device sends ICMP echo request packets (pings) to
the configured destination address at regular intervals.
If this destination address does not respond, the device tries to reach the destination
address again. In "Retries", you specify the number of ping retries. If all ping attempts are
unsuccessful, the ping test is considered to have failed or the group is considered
inaccessible. In the case of multiple destination addresses, the ping test is considered to
have failed when none of the destination addresses has responded.
In the "Action" table, you configure the criteria that must be met so that the device will
execute a specific action on the interface. A total of five actions can be configured. When all
5 actions have been processed, the device starts again with the 1st action.
● Example 1: A connection with one destination address is checked (Page 10).
● Example 2: A connection is monitored with 2 destination addresses (Page 13).
● Example 3: Two connections with 2 destination addresses each is checked (Page 15)

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 9
Configuring checking the connection
1.2 Checking a connection with one destination address

1.2 Checking a connection with one destination address


In this example the connection to the LAN with the address 192.168.1.20 is monitored. A
LAN group is created for this purpose. The reachability of the address is checked via the
VLAN interface (vlan1).
If the ping test fails for the 3rd time, the device restarts.

Procedure
1. Click "System > Connection Check" in the navigation area.
2. Configure the "LAN" group with the following settings:

Parameter Setting
Name LAN The group name is displayed in the "Action" table as a
column name.
Source Interface vlan 1 (INT) The reachability of the IP address is checked via the
VLAN interface.
Interval 30 seconds The interval between the ping tests.

TTL 12 Time To Live


Retries 3 Number of ping retries
1st Ping Target 192.168.1.20 The reachability is checked with this destination address.
2nd Ping Target - -
3rd Ping Target

3. Configure the following settings for the "LAN" group in the "Action" table:

Parameter Setting
Action for Device The action is performed on the device.
1st Action None No action
2nd Action
3rd Action Restart Restart the device.

4th Action None No action


5th Action

Connection Check
10 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring checking the connection
1.2 Checking a connection with one destination address

4. Select "Enable Connection Check" and click on the "Set Values" button.

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 11
Configuring checking the connection
1.2 Checking a connection with one destination address

Result
Destination address reachable
When the destination address is reachable, the device conducts a ping test every 30
seconds.
Destination address unreachable
Case 1: When the destination address is unreachable, the device makes three ping retries. If
all three ping tests fail, the device restarts. The destination address can be reached again
after the restart.

Ping test
Interval 30 s 60 s 90 s 3690 s (+ restart of
device)
Ping test failed > Ping test failed > Ping test failed > Ping test successful
Execute action 1 Execute action 2 (None) Execute action 3 (Restart)
(None) + Restart of the device
+ 10 minutes
After the restart, the device
waits for 10 minutes and then
sends a ping to the destination
address.

Case 2: The destination address is not reachable after the restart.

Ping test
Interval 30 s 60 s 90 s 3690 s (+ re- 3720 s 3750 s
start of device)
Ping test Ping test Ping test failed > Ping test failed Ping test failed Ping test failed > Exe-
failed > failed > Execute action 3 > > cute action 3 (Restart)
Execute Execute ac- (Restart) Execute action Execute action + Restart of the device
action 1 tion 2 (None) + Restart of the 1 (None) 2 (None)
+ 10 minutes
(None) device
After the restart, the
+ 10 minutes device waits for 10
After the restart, minutes and then
the device waits for sends a ping to the
10 minutes and destination address.
then sends a ping
to the destination
address.

Connection Check
12 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring checking the connection
1.3 Monitoring a connection with 2 destination addresses

1.3 Monitoring a connection with 2 destination addresses


In this example, the connection to the Internet is monitored with 2 addresses. As long as one
of the two addresses can be reached, there is no action.
When both addresses are inaccessible, the software of the mobile network engine is first
reset. If the action is not successful, a hardware reset of the mobile network interface is
performed.

Procedure
1. Click "System > Connection Check" in the navigation area.
2. Configure the "WAN" group with the following settings:

Parameter Setting
Name WAN The group name is displayed in the "Action" table as a
column name.
Source Interface usb0 The accessibility of the destination address is checked via
the mobile network interface.
Interval 60 seconds The interval between the ping tests.

TTL 128 Time To Live


Retries 3 Number of ping retries
1st Ping Target siemens.com The reachability is checked with these destination ad-
2nd Ping Target google.com dresses.

3rd Ping Target -

3. Configure the following settings for the "WAN" group in the "Action" table:

Parameter Setting
Action for usb0 The action is performed at the mobile network interface.
1st Action None No action

2nd Action Soft reset The mobile network engine is restarted using the soft-
ware.
3rd Action None No action
4th Action Hard-Reset The mobile network engine is restarted.
5th Action None No action

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 13
Configuring checking the connection
1.3 Monitoring a connection with 2 destination addresses

4. Select "Enable Connection Check" and click on the "Set Values" button.

Result
First destination address reachable
When the 1st destination address responds, the device performs a ping test every 60
seconds.
First destination address unreachable
If the destination address "siemens.com" does not respond, the 2nd destination address
"google.com" is attempted. When this address responds, the ping test is considered to be
successful and the next ping test is run after 60 seconds.
Both destination addresses are unreachable
Both destination addresses do not respond. An action is performed for the 2nd and 4th
unsuccessful ping test.
Case A: The destination addresses can be reached again after the soft restart.

Ping test
Interval 60 s 120 s 180 s 240 s
Ping test failed > Ping test failed > Ping test successful Ping test successful
Execute action 1 (None) Execute action 2 (Soft
reset)

Case B: The destination addresses cannot be reached again after the soft restart but after
the hardware reset.

Ping test
Interval 60 s 120 s 180 s 240 s 300 s
Ping test failed > Ping test failed > Ping test failed > Ping test failed > Ping test success-
Execute action 1 Execute action 2 Execute action 3 Execute action 4 ful
(None) (Soft reset) (None) (Hardware reset)

Connection Check
14 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring checking the connection
1.4 Monitor two connections with 2 destination addresses each

1.4 Monitor two connections with 2 destination addresses each


In this example, the connections to the Internet (WAN) and via VPN are monitored. A group
with different destination addresses is created for each connection. The groups are assigned
to the mobile network interface. The interface is considered reachable when both groups are
reachable. This means that at least one of the two destination addresses in each group must
respond.

Procedure
1. Click "System > Connection Check" in the navigation area.
2. Configure the "WAN" group with the following settings:

Parameter Setting
Name WAN The group name is displayed in the "Action" table as a
column name.
Source Interface usb0 The accessibility of the destination address is checked via
the mobile network interface.
Interval 60 seconds The interval between the ping tests.

TTL 128 Time To Live


Retries 3 Number of ping retries
1st Ping Target siemens.com The reachability is checked with these destination ad-
2nd Ping Target google.com dresses.

3rd Ping Target -

3. Configure the "VPN" group with the following settings:

Parameter Setting
Name VPN The group name is displayed in the "Action" table as a
column name.
Source Interface Auto The device determines the interface via which the reach-
ability of the destination addresses is checked.
Interval 180 seconds The interval between the ping tests.

TTL 128 Time To Live


Retries 5 Number of ping retries
1st Ping Target 172.23.24.5 The reachability is checked with these destination ad-
2nd Ping Target 172.23.24.6 dresses.
3rd Ping Target -

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 15
Configuring checking the connection
1.4 Monitor two connections with 2 destination addresses each

4. In the "Action" table, configure the following settings for the "WAN" and "VPN" groups:

Parameter Setting
Action for usb0 The action is performed at the mobile network interface.
1st Action None No action

2nd Action Soft reset Restart of the mobile network engine via the software
3rd Action None No action
4th Action Hard-Reset Restart of the mobile network engine
5th Action None No action

5. Select "Enable Connection Check" and click on the "Set Values" button.

Connection Check
16 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring checking the connection
1.4 Monitor two connections with 2 destination addresses each

Result
First destination address reachable
Because the 1st destination address in each group is accessible, the device performs a ping
test at the configured interval.
The mobile network interface is considered reachable because the destination addresses in
the assigned groups are accessible.

Ping test
60 s 120 s 180 s 240 s 300 s 360 s
WAN Ping test Ping test Ping test Ping test Ping test Ping test
VPN - - Ping test - - Ping test

"WAN" group not accessible and group "VPN" accessible


The mobile network interface is only considered accessible when both groups are
accessible. The following intervals are used: 60 seconds for Internet and 180 seconds for
VPN. Because of the shorter interval for the Internet, the action is performed without using
the "VPN" group beforehand.

Ping test
60 s 120 s 180 s 240 s 300 s 360 s
WAN Ping test failed > Ping test failed > Ping test failed > Ping test failed > Ping test Ping test
Execute action 1 Execute action 2 Execute action 3 Execute action 4 failed > failed >
(None) (Soft reset) (None) (Hardware reset) Execute Execute
action 5 action 1
(None) (None)
VPN - - Ping test - - Ping test

Both groups are not reachable


The destination addresses of both groups do not respond. An action is performed at the 1st
and 4th unsuccessful ping test. In the following cases, this is taken into account for different
intervals.
Case A: Intervals used: 60 seconds for Internet and 180 seconds for VPN.
Because of the shorter interval for the Internet, here, too, the action is performed without
using the "VPN" group.

Ping test
60 s 120 s 180 s 240 s 300 s 360 s
WAN Ping test failed > Ping test failed > Ping test failed > Ping test failed > Ping test failed Ping test
Execute action 1 Execute action 2 Execute action 3 Execute action 5 > failed >
(None) (Soft reset) (None) (None) Execute action Execute
1 (None) action 2 (Soft
reset)
VPN - - Ping test failed > - - Ping test
Execute action 4 failed >
(Hardware reset) Execute
action 2
(None)

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 17
Configuring checking the connection
1.4 Monitor two connections with 2 destination addresses each

Case B: Intervals used: 40 seconds for Internet and 60 seconds for VPN.

Ping test
40 s 60 s 80 s 120 s 160 s 180 s
WAN Ping test failed > - Ping test failed > Ping test failed > Ping test -
Execute action 1 Execute action 3 Execute action 4 failed >
(None) (None) (Hardware reset) Execute
action 1 (Soft
reset)
VPN - Ping test failed - Ping test failed - Ping test
>Execute action 2 >Execute action 5 failed >
(Soft reset) (None) Execute
action 2
(None)

Case C: Intervals used: 30 seconds for Internet and 60 seconds for VPN.

Ping test
30 s 60 s 90 s 120 s
WAN Ping test failed > Ping test failed >Execute Ping test failed > Ping test failed >Execute
Execute action 1 (None) action 2 (Soft reset) Execute action 4 (Hard- action 5 (None)
ware reset)
VPN - Ping test failed > - Ping test failed >
Execute action 3 (None) Execute action 1 (None)

Connection Check
18 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring fallback for connection 2
You can configure a fallback connection for the network access with the "Connection
Fallback" function. If the main connection fails, the connection is automatically established
via the fallback connection. When the fault has been corrected, the fallback connection is
disabled and data traffic is resumed via the main connection.
The function is demonstrated using 2 examples:
● Example 1: Fallback for Internet connection (Page 20)
● Example 2: Fallback for connection to SINEMA RC (Page 25)

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 19
Configuring fallback for connection
2.1 Fallback for Internet connection

2.1 Fallback for Internet connection


In this example configuration, SCALANCE M876-4 is connected to the Internet via the WAN
interface (usb0) and via the interface P1 (vlan1). The connection via the WAN interface is the
main connection, the other is the fallback connection. All data traffic is handled via the main
connection. The "Connection Check" function is used to monitor the main connection. If none
of the destination addresses respond, the main connection ① is considered to be down and
the device triggers the "Fallback" action on the fallback connection. The Internet can now be
reached via the fallback connection ②. Once the Internet can be reached via the main
connection again, the device switches back to the main connection.

Requirement
● The device can be accessed via a PC.
● You are logged on to the WBM as a user with administrator rights.
● Access to the mobile network and mobile services is configured.

Settings used
For the configuration example, the devices are given the following IP address settings:

Device Interface IP address


① M876-4 WAN port (usb0) Dynamic IP address from the provider

② LAN port (P1) 192.168.16.10


Gateway
LAN IP address of the Internet router
Internet router LAN port 192.168.16.100
WAN port Dynamic IP address from the provider

Note
The IP settings used in the configuration example were freely chosen.
In a real network, you would need to adapt these IP settings to avoid possible address
conflicts.

Connection Check
20 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring fallback for connection
2.1 Fallback for Internet connection

2.1.1 Creating a route and firewall

Creating a route to the Internet gateway


The fallback connection uses a DSL router as an Internet gateway. A static route is required
for access.
1. Click "Layer 3 > Static Route" in the navigation area.
2. Configure the route with the following settings:
Destination Net- 0.0.0.0
work
Subnet mask 0.0.0.0
Gateway 192.168.16.100
LAN IP address of the router
Interface vlan1 (INT)

3. Click the "Set Values" button.

Creating a firewall rule


It is not possible to allow data exchange from internal (vlan1) to external (usb0) using pre-
defined rules. A firewall rule is created to allow a specific device to access the Internet.
Configuring IP services HTTPS
1. Click on "Security > Firewall" in the navigation area and on the "IP Services" tab in the
content area.
2. Under "Service name", enter e.g. "HTTPS" and click "Create". A new entry is created in
the table.
3. Configure HTTP with the following settings:
Transport TCP
Destination Port (Range) 443 (default port)

4. Click on "Set Values".


Allow a specific device Internet access
1. Click on "Security > Firewall" in the navigation area and on the "IP Rules" tab in the
content area.
2. Click "Create". A new entry is created in the table.

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 21
Configuring fallback for connection
2.1 Fallback for Internet connection

3. Configure the firewall rule for HTTP with the following settings:
Action Accept
From vlan1 (INT)
To usb0
Source (Range) 192.168.16.10 (the required device)
Destination (Range) 0.0.0.0/0 (all addresses)
Service HTTPS

4. Click on "Set Values".

2.1.2 Configure fallback function


In addition to the fallback, the accessibility of the connection is monitored using 2 destination
addresses. If the main connection fails, the "Fallback" action is performed.

Procedure
1. Click on "System > Connection Check" in the navigation area and on the "Connection
Fallback" tab.
2. Configure the function with the following settings:
Priority Interface
1 usb0 Main connection
2 VLAN1 (INT) Fallback connection

3. Enable the "Connection Fallback" function.


4. Click the "Set Values" button.
5. Click the "Connection Check" tab.
6. Configure the "WAN" group with the following settings:

Parameter Setting
Name WAN The group name is displayed in the "Action" table as a
column name.
Source Interface usb0 The accessibility of the destination address is checked via
the mobile network interface.
Interval 60 seconds The interval between the ping tests.

TTL 128 Time To Live


Retries 3 Number of ping retries
1st Ping Target siemens.com The reachability is checked with these destination ad-
2nd Ping Target google.com dresses.

3rd Ping Target -

Connection Check
22 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring fallback for connection
2.1 Fallback for Internet connection

7. Configure the following settings for the "WAN" group in the "Action" table:

Parameter Setting
Action for usb0 The action is performed at the mobile network interface.
1st Action None No action

2nd Action Fallback The fallback connection is enabled.


3rd Action None No action
4th Action None No action
5th Action None No action

8. Select "Enable Connection Check" and click on the "Set Values" button.

Result
The fallback for the connection to the Internet is configured.
Standard mode:
In standard mode, the connections have the following status:

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 23
Configuring fallback for connection
2.1 Fallback for Internet connection

Main connection failed


If neither destination addresses are accessible, the "Fallback"action is performed on the 2nd
unsuccessful ping test.
The corresponding messages are displayed under "Information > Log Tables" > "Event Log".
All data traffic now flows via the fallback connection. The status of the main connection
changes to "Not reachable".

Connection Check
24 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring fallback for connection
2.2 Fallback for connection to SINEMA RC

2.2 Fallback for connection to SINEMA RC

2.2.1 Introduction
For the example configuration, the station is connected to the SINEMA RC Server in the
control center via a SCALANCE M876-4. The "Connection Check" function monitors the
main connection ① to the SINEMA RC server. If the SINEMA RC server does not respond,
the main connection is considered to be down and the device triggers the "Fallback" action.
The SINEMA RC server can be reached via the fallback connection ②.

Requirement
● The device can be accessed via a PC.
● You are logged on to the WBM as a user with administrator rights.
● Access to the mobile network and mobile services is configured.

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 25
Configuring fallback for connection
2.2 Fallback for connection to SINEMA RC

Settings used
For the configuration example, the devices are given the following IP address settings:

Device Interface IP address


Station ① M876-4 WAN port (usb0) Dynamic IP address from the provider

② LAN port (P1) 192.168.16.10


Gateway
LAN IP address of the Internet router
Internet router LAN port 192.168.16.100
WAN port Dynamic IP address from the provider
Master station SINEMA RC LAN port 192.168.20.250
Server 255.255.255.0
(VPN server) WAN port The WAN IP address via which the
SINEMA RC Server can be reached is the
WAN IP address of the router in this ex-
ample. 192.168.184.20
The default gateway is the LAN IP ad-
dress of router192.168.20.2
Router 1 LAN port 192.168.20.2
255.255.255.0
WAN port Static IP address assigned by the provid-
er, e.g. 192.168.184.20

Note
The IP settings used in the configuration example were freely chosen.
In a real network, you would need to adapt these IP settings to avoid possible address
conflicts.

Connection Check
26 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring fallback for connection
2.2 Fallback for connection to SINEMA RC

2.2.2 Configuring a VPN connection on the SINEMA RC Server

Configuring SCALANCE M876-4 as a device


1. In the navigation area, click "Remote connections > Devices". Click "Create" button to
create a new device.
2. Configure the device with the following settings.

Device name The following characters are permitted: a-z, A-Z, 0-9 and _. The
space character is not allowed. "conn" cannot be used as a name.
Password The password must be made up of uppercase and lowercase let-
Confirm password ters, numbers and special characters.
This password is required again later when configuring the
SCALANCE S615.
Type SCALANCE M876 / M874 / RM1224
VPN protocol OpenVPN
Type of connection Permanent
Request VPN address Is enabled.
Participant group vpn_user_group
To add the participant group, click "Add".

3. Click "Quick Finish".


The device overview opens.

Determine device ID and export certificate


1. Click on the symbol in "Actions" to open the device information.
2. Write down the entry for "Device ID", or copy the entry and save the value to a text file in
your local directory.
3. Click on the symbol in "Export CA" and save the certificate to a local directory on the
PC.
4. Close the dialog with "Exit dialog".

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 27
Configuring fallback for connection
2.2 Fallback for connection to SINEMA RC

2.2.3 Configuring VPN connection on the device

Requirement
● The correct time is set on the devices.

Note
Manual time setting - reaction after interrupting the power supply
Note that the time is reset to the factory setting if the power supply is interrupted. On
return of the power, you need to set the system time again. As a result, certificates can
lose their validity.
Synchronization using a time server
Synchronization of the system time using a public time server creates additional data
traffic on the connection. This may result in additional costs, depending on your
subscriber contract.

● A valid KEY-PLUG is plugged into the device.


● The route to the Internet gateway is created (Page 21).
● The firewall rule for the data exchange from internal to external is created (Page 21).

Loading a certificate
1. In the navigation area, select "System > Load & Save" and the "HTTP" tab in the content
area.
2. Click the "Load" button next to "X509Cert".
The SCALANCE M876-4 uses this certificate to verify the SINEMA RC server during
initialization of the VPN tunnel.

Configuring a VPN connection to the SINEMA RC Server


1. Wire the digital input.
You can find additional information on the terminals in the operating instructions.

Note
Notes on device
Please note the safety instructions in the operating instructions.

2. In the navigation area, select "System > Events".


3. In the "VPN tunnel" column, enable the event "Digital Input".
4. Click on "Set Values".
5. In the navigation area, select "System > SINEMA RC".

Connection Check
28 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring fallback for connection
2.2 Fallback for connection to SINEMA RC

6. Configure the SINEMA RC Server with the following settings:

SINEMA RC Address The WAN IP address via which the SINEMA RC Server can be
reached is the WAN IP address of the router in this example.
Verification type The password must be made up of uppercase and lowercase let-
ters, numbers and special characters.
CA certificate The loaded CA certificate
Device ID Value of the "Device ID" that SCALANCE M876-4 received in the
SINEMA RC server.
Device Password The password that you have configured for access.
Device Password Confirma-
tion
Auto Firewall/NAT Rules Enabled.
Corresponding rules are created automatically.
Type of connection Digital Input
Timeout [min] 30
The VPN tunnel is automatically disconnected after 30 minutes of
inactivity.

7. Click on "Set Values".

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 29
Configuring fallback for connection
2.2 Fallback for connection to SINEMA RC

2.2.4 Configure fallback function

Procedure
1. Click on "System > Connection Check" in the navigation area and on the "Connection
Fallback" tab.
2. Configure the function with the following settings:
Priority Interface
1 usb0 Main connection
2 VLAN1 (INT) Fallback connection

3. Enable the "Connection Fallback" function.


4. Click the "Set Values" button.
5. Click on the "Connection Check" tab.
6. Configure the "WAN" group with the following settings:

Parameter Setting
Name WAN The group name is displayed in the "Action" table as a
column name.
Source Interface usb0 The accessibility of the destination address is checked via
the mobile network interface.
Interval 60 seconds The interval between the ping tests.

TTL 128 Time To Live


Retries 3 Number of ping retries
1st Ping Target IP address of the The reachability is checked with these destination ad-
SINEMA RC dresses.
server
192.168.184.20
2nd Ping Target -
3rd Ping Target -

7. Configure the following settings for the "WAN" group in the "Action" table:

Parameter Setting
Action for usb0 The action is performed at the mobile network interface.
1st Action None No action

2nd Action Fallback The fallback connection is enabled.


3rd Action None No action
4th Action None No action
5th Action None No action

Connection Check
30 Getting Started, 07/2020, C79000-G8976-C574-02
Configuring fallback for connection
2.2 Fallback for connection to SINEMA RC

8. Select "Enable Connection Check" and click on the "Set Values" button.

Result
The fallback for the connection to the SINEMA RC server is configured. If the SINEMA RC
server is no longer accessible via the mobile network interface, the fallback connection will
be used.

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 31
Configuring fallback for connection
2.2 Fallback for connection to SINEMA RC

Connection Check
32 Getting Started, 07/2020, C79000-G8976-C574-02
Index

G
Glossary, 5

S
Service & Support, 4
SIMATIC NET glossary, 5

T
Training, 4

Connection Check
Getting Started, 07/2020, C79000-G8976-C574-02 33
Index

Connection Check
34 Getting Started, 07/2020, C79000-G8976-C574-02

You might also like