- This topic has 15 replies, 4 participants and was last updated 3 years, 3 months ago da
.
-
Post
-
I have a problem with a program that ran very well until yesterday. I just added a 0-10V analog input reading that is sent to an arduino-like display via the I2C port. To understand what was happening I isolated some instructions and I arrived at SysVarsnprintf which transforms the analog value into a string. I have done several tests but I do not come to the head. Here is the configuration of my system, a CPU module Cortex M7 OEM is connected with:
3 SDM 120 energy meters on COM2
1 Inverter on COM2
1 Modbus remote relay console on COM1
1 Charger on COM0
1 4 × 20 Arduino display on I2C
1 Digital potentiometer on I2C
1 Voltage divider on analog input AI00
1 HMI Weintek MT8071IE IP 192.168.0.200So through Toolly and Syslog I tried to understand more, but the result is not clear since I do not know how to interpret the data I get, the same goes for the Logs.txt file downloaded from the browser. How do you interpret the values of Syslog and Logs.txt? This is an excerpt from the Logs.txt file
[L] SFW198 [06 / 06 / 2018 09: 42: 24] 6000, Run ApplID: 0x896B9D59
[E] SFR055 [06 / 06 / 2018 09: 42: 30] 6670, [7] IP: 192.168.0.200: 36935
[E] SFR050 [06 / 06 / 2018 09: 57: 30] 1020, Except: MEM_MNG At: 0x004A239B
[L] SFR050 [06 / 06 / 2018 09: 57: 30] 1000, System power on
[L] SFW198 [06 / 06 / 2018 09: 57: 30] 5005, Starting Op. System SFW198B000
[E] SFW198 [06 / 06 / 2018 09: 57: 30] 6030, LLab Cn, ApplID: 0x896B9D59
[L] SFW198 [06 / 06 / 2018 09: 58: 18] 6000, Run ApplID: 0x896B9D59The Logs.txt file contains all the information related to the system anomalies, they are the same ones returned by the SysLog command executed by Telnet. Each line begins with the type of signaling:
[W] Warning, indicates a minor anomaly
[E] Error, indicates an operating error
[L] Log, indicates the recording of an eventThe following string indicates in which section of the operating system the event was created. The date / time of the event follows, then the event identification number and a brief description. These data are used by us to understand the type of problem that has occurred in a certain program for this they are not documented.
Analyzing your report, at 9: 42 you are running the PLC program, and at 9: 57 a memory access exception occurred (This error is very serious and reboots the system). This can happen when, for example, using a pointer, you leave the addressable memory range of the system.
Since you tell me you added a SysVarsnprintf check the address of the variable and the address of the memory buffer where the function writes the print value, you probably have an addressing error.
I put an excerpt from the Logs.txt file. I need to understand what is wrong, because they are all messages with [E].
[E] SFR055 [09 / 10 / 2019 03: 04: 26] 6675, [5] IP: 112.29.140.221: 38008
[E] SFR055 [09 / 10 / 2019 03: 07: 53] 6675, [5] IP: 201.1.179.176: 26837
[E] SFW198 [09 / 10 / 2019 03: 12: 49] 3110, Wrong ARG: remote_submit_Flag
[E] SFW198 [09 / 10 / 2019 03: 21: 13] 3110, Wrong ARG: admin
[E] SFR055 [09 / 10 / 2019 03: 25: 57] 6670, [7] IP: 152.136.69.250: 22701
[E] SFR055 [09 / 10 / 2019 03: 26: 58] 6630, TCP No ack: 152.136.69.250: 34180
[E] SFW198 [09 / 10 / 2019 03: 27: 01] 3110, Wrong ARG: h
[E] SFR055 [09 / 10 / 2019 03: 27: 15] 6670, [5] IP: IP: 152.136.69.250: 55461
[E] SFR055 [09 / 10 / 2019 06: 21: 45] 6675, [5] IP: 71.6.232.4: 43508
[E] SFR055 [09 / 10 / 2019 07: 14: 25] 6675, [5] IP: 27.216.254.216: 56271
[E] SFR055 [09 / 10 / 2019 12: 49: 17] 6675, [5] IP: 219.98.16.82: 51157
[E] SFW198 [09 / 10 / 2019 13: 02: 47] 3110, Wrong ARG: remote_hostThe IP addresses shown do not refer to the WAN addresses provided by the Router (I imagine it is IP addresses with the port). The program accesses the internet for the following operations:
Ping 8.8.8.8
Send an e-mail to 10, 12 and 18
At midnight it connects to an FTP whose IP starts with 87 and saves a fileAll these operations execute correctly.
They are the cause of external attempts to scan the doors. Which ports are necessary for the PLC to be able to work and ping, send emails and manage FTP? Eventually I could think of closing all the ports and opening only those needed by the firewall of the router?
I don't know which version you have of the operating system, here is the explanation for the category of errors
[E] SFW198 [09/10/2019 03:27:31] 3110, Wrong ARG:m
Error 3110: Argument (eg "UINT 10") wrong in web page[E] SFR055 [09 / 10 / 2019 03: 22: 19] 6670, [5] IP: 152.136.69.250: 55461
Error 6670: TCP active close timeout (No response to the shutdown undertaken by SlimLine) of a connection with IP: Port.[E] SFR055 [09/10/2019 03:04:26] 6675, [5] IP:112.29.140.221:38008
Error 6675: Passive open timeout (so someone trying to log in) from IP: PortAs far as I understand it SlimLine it connects to the Internet via a router, but it must not be accessible from the Internet, so the firewall must block all incoming connections.
It is advisable to check that you have the latest version of the operating system, if necessary to update.
I don't have access to the PLc right now, but I seem to remember that I updated the firmware in May, but I need to check it out better. The SlimLine performs the following connections: ping to Google DNS (8.8.8.8), NTP to the inrim 193.204.114.232 server, FTP to my NAS which has an IP that is none of those listed, and at 10 in the morning it sends mail via mail server whose IP it is not included in Logs.txt.
Right now SlimLine it is not accessible from the router, I have blocked all the ports, but I would like to make it reachable remotely to view a web page with the values, and to be able to modify the program even remotely. So I guess I should open on the router and point to the local IP of the slimLine ports 80, and those required by LogicLab and FTP. And if I want to see it with Toolly also 22.
The thing that left me stunned is that all those IP addresses, running a whois, are referable to Chinese, Armenian, Turkish, Korean telecommunications companies and so on.
The SIM in the 4G router is from an Italian company, the connections I make are those described above ... I am puzzled that having closed the ports on the router (I tried and the router does not let them pass) SlimLine receive connection attempts on ports that should theoretically be closed.
I was also afraid of having exported some FB from its example programs that required the password for continuous use and that it is SlimLine communicated this in some way (I say this with a smile ... but I thought it)
Monday I download the last Logs.txt file from SlimLine and then I check and eventually update the FW. I delete the Logs.txt file and leave it without a router, only locally and see how it behaves.
Being connected through a 4G router which is usually NATtato unless expressly requested, it should not be possible to receive incoming connections. But from the log file it is clear with certainty that the connection comes from external IPs to the network, therefore someone in that network passes requests from outside.
Yes, to see web pages from the Internet you have to open port 80, if you want to see it also from Telnet you have to open port 23, for FTP the ports to be opened are 21 and 1024 (Modifiable from the web page) all these connections are password protected.
If you want to program it with LogicLab you must open the 502 port (This port is not password protected), but make sure your 4G manager gives you a public IP.
I have one slimline cortex M7 updated with the latest firmware version Pck043b510, I noticed the following report in the log file
[E] SFR055 [01 / 01 / 1970 02: 07: 03] 7600, TUF no file available
what does it mean?
The error indicates that all 32 manageable sockets were used and kept open at the same time.
Council to define the parameter LifeTime to automatically close sockets where there is no traffic, otherwise in case of client hardware disconnection, for example a remote client connected to a socket server on the SlimLine via WiFi or from the Internet it is turned off, not being able to perform the correct closing sequence it keeps the socket hanging and busy.
The command NetStat from Telnet returns the list of sockets used by the system.
I requested the manager to be able to access the network remotely and gave me the SIM with the service enabled. I noticed that those requests which correspond to the 6670 and 6675 codes appear when I remotely access the web page I created to display the values and that uses AJAX. However, I can't explain IP requests from communications companies everywhere. From Toolly I extracted this with the syslog
[W] SFR055 [14 / 10 / 2019 06: 35: 28] 7060, [5] IP: 185.53.88.92: 46333
[W] SFR055 [14 / 10 / 2019 06: 35: 28] 7920, eTCPServer file not found [80]
[W] SFR055 [14 / 10 / 2019 07: 17: 58] 7060, [5] IP: 213.190.166.70: 41115
[W] SFR055 [14 / 10 / 2019 07: 17: 58] 7920, eTCPServer file not found [80]The FW is updated to the latest version.
Tomorrow, with more calm and a clear mind, I see everything again because the PLC network is composed only of PLCs and routers. I will reset all the firewalls and open the strictly necessary ports (the 1024 for FTP for example I didn't know) and I will continue with my tests.
I have checked and the FW is updated to the latest version. I checked if the router closes the incoming ports with nmap and other online services and the ports are closed: the only ones open are 80 and 21. Now in the Logs.txt file I have the following log line every 30 seconds:
[E] SFR055 [date and time] 5330, TCP packet checksum error
and sometimes the line with the code:
[E] SFR055 [date and time] 6675, [7] IP: port
where the IP is of some Japanese or Chinese telecommunications company.
I would like to understand that TCP packet checksum error what comes from and also the 6675.
Having opened only 1 port and in your case you have certainly opened the 80 port for the HTTP server, anyone from all over the world can access your system and try to enter by generating a series of errors.
Error 5330 indicates that a TCP packet with wrong checksum has been received, the fact that it repeats every 30 seconds is because in case of a recurrence of an error it is saved only every 30 seconds.
Error 6675 indicates that someone from IP and port tried to connect, started the Three-Way Handshake sequence but then did not complete it in the predefined time.
I ask you for advice: if you want to make the measured values available through the web server of the SlimLine I have to leave the 80 door open. What are the risks? Or how can you best defend it? SlimLine? How do you behave in these cases?
To defend yourself in the best way and to avoid all the problems of having a connection with public IP, I recommend sending from SlimLine data in the cloud. In this way you do not have to open any doors at the entrance and therefore there is no possibility to connect to the SlimLine.
To do this you can use the MQTT protocols or the REST (If you look in our Knowledge you will find many articles that talk about it) you can look for example this article o this article.
Closing all doors also means the inability to program remotely, and this could be manageable if the system is close, a little less if it is sent far away.
For using a cloud I'm honestly fasting on REST (and MQTT), but I've read in another discussion the use of HTTPClient to send a GET or POST string to a page, so if I understand correctly I could send the all to a getvalues.php page, process the GET string and insert the values into a DB. And then create a page that reads the data and puts it in graphic or textual form.
Or try the program that linked me and uses REST. Reading the listing I have many questions, but first I want to try it and see if I can find some answers for myself.
- You must be logged in to reply to this topic.