This troubleshooting guide applies when a VPN connection has been successfully established to an Ewon, but one or more LAN devices connected to it cannot be reached. It provides steps on how to resolve this issue and reach one's LAN devices through Ecatcher or M2Web. There are a few issues that can contribute to this issue including as a network overlap (IP conflict), Ecatcher firewall settings, and the NatItf setting.
APPLICABLE PRODUCTS
- Ewon Cosy
- Ewon Flexy
- Ecatcher
- M2Web
ISSUE / QUESTION / SYMPTOM
LAN devices are connected to the Ewon, but cannot be reached. Pinging them fails with "no route to host". Trying to connect to a device like an HMI in the browser never loads.
POSSIBLE CAUSES / ANSWER
-
Network Adapter Conflict
Ecatcher uses its own network adapter. Instead of sending your traffic to your Ethernet port, for example, it gets sent through this adapter in order to go through the VPN to your Ewon's LAN network.
Fig 1. Talk2m Network Adapter
In some cases, your PC may be send traffic to the wrong adapter. If you are able to ping the Ewon's VPN IP address (example below) but you cannot ping the LAN IP, you likely have this issue.
Fig 2. Ewon VPN IP Address
Troubleshooting Steps:
Try disabling any adapters that aren't for your internet connection or Talk2m. The most common culprits are other VPN clients such as OpenVPN or PLC simulation software like Siemens PLCSIM.
-
Network Overlap
When trying to connect through Ecatcher, the local network and the Ewon's LAN should be in different subnets to allow remote access to all the devices connected to the Ewon's LAN. When there is overlap between these two networks, you will see the following error messages:
Fig 3. Network overlap 1
Fig 4. Network overlap 2
Troubleshooting Steps:
To solve this issue, there are a few options:- Make sure the network of the PC running Ecatcher and the Ewon's LAN are in different subnets
- Change the LAN IP address of the Ewon and its LAN devices
- Use a different network address to connect the PC to the Internet
-
Firewall Set Too High
The firewall setting in Ecatcher can be set to different security levels including Standard and High. When High security is selected, only the listed devices under the Ewon's LAN are reachable by connected users. Therefore if the LAN device being accessed is not declared on Ecatcher, it will not be reachable.
Troubleshooting Steps:
To solve this issue, there are two options:- Change the firewall security level. Click on the Ewon in Ecatcher → Properties → Configure LAN Devices & Firewall
Fig 5. Firewall Setting: Move the bar to "Standard"
- Add the LAN device. Click on the Ewon in Ecatcher → Properties → Configure LAN Devices & Firewall → Add LAN Device
- Change the firewall security level. Click on the Ewon in Ecatcher → Properties → Configure LAN Devices & Firewall
-
NatItf Not Set Appropriately
The Ewon’s NAT and TF settings affect how devices must be configured to be accessible through the Ewon’s VPN connection. NAT on LAN (Plug’n Route) only requires that LAN devices' IP addresses are on the Ewon’s subnet. If this setting is changed to NAT and TF on WAN, the LAN devices must also have their gateway IP set to the Ewon’s LAN IP address.
Troubleshooting Steps:
To solve this issue:
- On a Cosy, connect to the device's web interface and navigate to Setup → System → Storage → Tabular Edition → Edit COM cfg and search for NatItf. Double click the value to edit, set it to 3 (for Plug'n Route), save, and reboot the Ewon.
Fig 6. Ewon's web interface: changing NatItf setting on Cosy
- On Flexy, navigate to Setup → System → Communication → Networking → Routing, then change the "Apply NAT and TF to connection:" dropdown to NAT on LAN (Plug'n Route)
Fig 7. Ewon's web interface: changing NatItf setting on Flexy
- On a Cosy, connect to the device's web interface and navigate to Setup → System → Storage → Tabular Edition → Edit COM cfg and search for NatItf. Double click the value to edit, set it to 3 (for Plug'n Route), save, and reboot the Ewon.
-
RTEnIpFwrd Disabled
RTEnIpFwrd is a parameter that allows traffic to be routed from the device's WAN to its LAN, thereby allowing access to LAN devices through the VPN. If it is set to 0, it will be disabled and no access is allowed.
Troubleshooting Steps:
To solve this issue:
- Connect to the device's web interface and navigate to Setup → System → Storage → Tabular Edition → Edit COM cfg and search for RtEnIpFwrd. Double click the value to edit, set it to 1, save, and reboot the Ewon.
- After rebooting, check that the value is now 1. If it isn't, verify that the Ewon has a WAN port. If every Ethernet port is set to work as a LAN port, RTEnIpFwrd cannot be changed.
-
Device Not Configured for Access Through M2Web
If LAN devices can be reached through Ecatcher but not M2Web, there is likely an issue how the devices are configured in Ecatcher.
Troubleshooting Steps:
Ensure that M2Web access is enabled in the device's configuration in Ecatcher. Click on the Ewon in Ecatcher → Properties → Configure LAN Devices & Firewall, then either select the device from the list and choose Properties or add a new device if it's not present. At the bottom of the LAN Device popup, ensure "Visible in M2Web" is checked, and that the protocol, port, and home page (if any) are set appropriately.
-
Different LAN IP Set in Ecatcher
In a device's properties in Ecatcher, under the LAN & Firewall section, there is a button labeled "Modify LAN Subnet". If this button is used to change the device's LAN address, Ecatcher will add routes based on the IP address set here, but the change will not propagate to the Ewon itself. In this case, it is no longer possible to reach the Ewon's LAN.
Troubleshooting Steps:
Ensure that the LAN IP shown in the menu accessed with this button matches the LAN IP set on the device itself. If it's necessary to change the Ewon's LAN IP, do so with eBuddy or in the web interface of the Ewon itself and the change will also be sent to Ecatcher to correct the routing information.