Description One option the web server gives you is to monitor and diagnose the topology of PROFINET modules. This enables evaluation and diagnostics through the internet or a company intranet even over great distances. If you open the web page of your CPU with the HTTPS protocol in Windows 7 using Internet Explorer 9, you get the Microsoft security warning "Certificate error".
The cause of this behavior is the fact that a certificate is missing. If the certificate is not installed, a warning is displayed recommending not to open that page. You must explicitly add a certificate to be able view the page.
Proceed as described in the table below to obtain the valid CA (Certification Authority) certificate.
Click the "download certificate" button as in Fig. 01 and in the "Certificate" dialog that opens you start installation by clicking the "Install certificate..." button.
In the "Certificate import assistance" dialog you select the "Place all certificates in the following store" function and click the "Browse..." button.
In the "Select certificate storage" dialog that opens you select this storage:
"Trusted root certificate site".
Then click OK and confirm the next message with "Yes".
Once the CA certificate has been successfully imported the "Certificate Import Wizard" indicates with this with an appropriate message. Acknowledge this message with "OK".
Restart the Internet Explorer.
Note If you assign user rights in the web server through the HWCN in STEP 7 / TIA Portal, you need a certificate for the SSL pages (HTTPS). This applies for all the web pages of the CPU (also with all browsers and browser versions).
How do you display the diagnostics buffer of a SIMATIC CPU with integrated web server on a SIMATIC Panel?
Description The web server of the SIMATIC CPU provides the user with web pages for displaying diagnostics information. A SIMATIC Panel with Internet Explorer can access the web pages. In this way the user can display the diagnostic buffer and more CPU information on the SIMATIC Panel.
Note The functional differences between the different SIMATIC Panels are given in Entry ID 40227286. This will help you determine which panels support the Internet Explorer.
You can use any SIMATIC CPU that supports the web server function.
Creation environment This FAQ has been created with the software/hardware below.
Create controller Create a SIMATIC controller in your project.
Define CPU properties In the project navigation you open the device configuration of the SIMATIC controller and select the "Properties" tab. Click the "Web server" item and activate the "Enable web server on this module" option.
Save the settings and download the configuration into the SIMATIC controller.
Configuration of the HMI operator panel
Create operator panel Create an operator panel in your project.
Add a button to your screen.
Change to the "Events" tab. Add the "OpenInternetExplorer" function and specify the IP address of the SIMATIC CPU as home page. In this example: "http://172.16.30.32"
Note on security
Caution The functions and solutions described in this article confine themselves predominantly to the realization of the automation task. Furthermore, please take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the internet. More information can be found in Entry ID: 50203404.
Which "local_device_id" do you parameterize in order to establish a connection to FB65 "TCON" for open communication via Industrial Ethernet?
Description Depending on the module and interface through which the connection with the FB65 "TCON" for open communication over Industrial Ethernet is established, you parameterize the "local_device_id" accordingly.
The "local_device_id" for the S7-300 and S7-400 CPUs as well as for the IM151-8 PN/DP CPU and IM154-8 CPU is in the Hardware Configuration (STEP 7 V5.5) or in the Device View of the hardware and network editor (STEP 7 Professional V11). The slot identification for a module's PROFINET interface contains the "local_device_id".
Example for STEP 7 V5.5 The slot identification for the PROFINET interface on a CPU319-3 PN/DP is "X3", in other words you parameterize the "local_device_id" = B#16#03 for open communication through the integrated PROFINET interface on a CPU319-3 PN/DP.
Example for STEP 7 Professional V11 The slot identification for the PROFINET interface on a CPU319-3 PN/DP is "2 X3", in other words you parameterize the "local_device_id" = B#16#03 for open communication through the integrated PROFINET interface on a CPU319-3 PN/DP.
Note The slot identification for the PROFINET interface on an S7-300 CPU, S7-400 CPU, IM151-8 PN/DP CPU or IM154-8 CPU is also printed on the module.
Overview The overview below contains the "local_device_ids" which are to be parameterized for open communication by means of WinAC RTX and S7-400 Industrial Ethernet CP. The "local_device_id" of the WinAC RTX depends on the interface slot of the Industrial Ethernet interface.
Communication over Industrial Ethernet CP of the S7-400 (only with ISO-on-TCP, that means connection_type = B#16#12).
Note Entry ID 15368142 contains information about which S7-400 series Industrial Ethernet CPs support open communication services using T blocks.
Communication through the Industrial Ethernet interface at interface slot 1 (IF1) with WinAC RTX.
Communication through the Industrial Ethernet interface at interface slot 2 (IF2) with WinAC RTX.
Communication through the Industrial Ethernet interface at interface slot 3 (IF3) with WinAC RTX.
Communication through the Industrial Ethernet interface at interface slot 4 (IF4) with WinAC RTX.
The overview below shows the "local_device_id" designations that you parameterize for open communication through the integrated PROFINET interface of an S7-300 CPU, S7-400 CPU, IM151-8 PN/DP CPU or IM154-8 CPU.
Communication through the integrated PROFINET interface of the IM151-8 PN/DP CPU.
Communication through the integrated PROFINET interface of the CPU31x-2 PN/DP, CPU314C-2 PN/DP and IM154-8 CPU.
Communication through the integrated PROFINET interface of the CPU319-3 PN/DP.
Communication through the integrated PROFINET interface of the CPU412-2 PN, CPU414-3 PN/DP, CPU416-3 PN/DP and CPU41x-5H PN/DP (Rack 0).
Communication through the integrated PROFINET interface of the CPU 41x-5H PN/DP (Rack 1).
Why is the message "This page is not available" displayed in the web browser when you call the HTML page "Topology", for example, to read out the topology via the web server of the CPU?
Description The CPUs with integrated PROFINET interface have a web server. The web server gives you the option of monitoring your CPU via the internet or via the internal company intranet. This enables evaluation and diagnostics over great distances.
Messages and status data are displayed on HTML pages. You need a web browser to access the HTML pages.
The requirements below must be fulfilled in order to read out data on the module status, topology and the messages from the CPU via the web server.
The "Report System Error" function must be configured. Then you save and compile the hardware configuration and download the configuration into the CPU.
All the blocks required for the "Report System Error" function must be generated and downloaded into the CPU.
If the requirements are not fulfilled, the HTML pages are not displayed in the web browser. For example, the message "This page is not available" displayed in the web browser when you call the HTML page "Topology" to read out the topology via the web server of the CPU.
Note Configuration of the "Report System Error" function is done in the hardware configuration via the menu "Options > Report System Error". In the "Report System Error" dialog you click the "Generate" button to generate all the blocks required for the "Report System Error" function.
To make generating and updating the "Report System Error" function automatic you must open the object properties of the S7 station in the SIMATIC Manager. Select the "Settings" tab and enable the "Call during "Save and Compile"" function under "Report System Error".
Further information More information about web server of the S7-300 CPUs is available in the manual in Entry ID: 12996906.
More information about web server of the S7-400 CPUs is available in the manual in Entry ID: 44444467.
How do you reset the IP address and device name of an I device?
Description As from firmware V3.2 the S7-300 CPUs, the IM154-8 CPU and the IM 151-8 PN/DP with integrated PROFINET interface can be configured as I devices. The S7-400 CPUs with integrated PROFINET interface can be configured as I devices as from firmware V6.0.
If the topology of the plant is known, then you can integrated the I devices into the plant without any previous configuration. The address assignment is done by the higher-level IO controller based on the topology.
The requirement for this procedure is that the I device has neither an IP address nor a device name. Brand-new modules meet this requirement. The IP address and the device name are stored permanently in the CPU after the first integration into the network. There are two ways of deleting the data in the CPU.
Reset IP address and device name via STEP 7
Reset the IP address and device name via the user program using the system function block SFB104 "IP_CONF"
Reset IP address and device name via STEP 7 As from STEP 7 V5.5. it is possible to reset modules to the ex-works setting via the menu "Target System > Edit Ethernet Node".
In the "Edit Ethernet Node" dialog you click the "Browse..." button to select the MAC address of the module that is to be reset to the ex-works setting. Then click the "Reset" button. This deletes both the IP address and the device name from the module.
Reset the IP address and device name via the user program using the system function block SFB104 "IP_CONF" The S7-300 CPUs, the IM154-8 CPU and the IM 151-8 PN/DP with integrated PROFINET interface support the SFB14 "IP_CONF" as from firmware V3.2. The S7-400 CPUs with integrated PROFINET interface support the SFB104 "IP_CONF" as from firmware V6.0.
The SFB104 "IP_CONF" is for program-controlled configuration of the integrated PROFINET interface of the CPU. The previously valid configuration data is overwritten.
Using the SFB104 "IP_CONF" you can configure the data below for the integrated PROFINET interface.
IP parameters: IP address, subnet mask and router IP address
PROFINET IO device name if the CPU is being operated as a PROFINET IO device
Save the configuration data in a data block (configuration DB).
Call the SFB104 "IP_CONF" cyclically in the user program of the CPU.
You set the "REQ" input parameters to the value "true" in OB100.
At the input parameter "CONF_DB" you use a pointer to refer to the configuration data stored in the configuration DB.
When the SFB104 "IP_CONF" is called the IP parameters and device name stored in the configuration DB must have the value "0" in order to reset the IP address and device name. For device names it is sufficient for the first byte to be defined with the value "0".
You can use the program-controlled setting of the IP configuration with the SFB14 "IP_CONF" instead of configuring with STEP 7. However, it only becomes effective when you have specified explicitly in the hardware configuration that assignment of IP parameters is to be done "using a different method" than via the hardware configuration.
The S7-300 and S7-400 CPUs can also be reset to the as-delivered status by switch.
More information about configuring an I device is available in the manual "SIMATIC PROFINET System Description" in Entry ID 19292127.
More information about resetting an S7-300 CPU to the as-delivered status by switch is available in the manual "SIMATIC S7-300 CPU 31xC and CPU 31x: Setting Up", in section 9.5, in Entry ID: 13008499.
More information about resetting an S7-400 CPU to the as-delivered status by switch is available in the manual "SIMATIC S7-400 Automation System S7-400 CPU Specifications, in section 3.4, in Entry ID: 44444467.
What should you watch out for when parameterizing the watchdog time when a ring redundancy is established with the Media Redundancy Protocol?
Description The media redundancy function ensures network and plant availability. Redundant transmission paths (ring topology) ensure that when one transmission path fails an alternative path is made available.
The Media Redundancy Protocol (MRP) is a component of the PROFINET standardization in compliance with IEC 61158. An overview of the PROFINET IO controllers and IO devices that support the Media Redundancy Protocol and for which the Media Redundancy Protocol can be enabled is available in Entry ID: 44383954.
If one transmission path fails, reconfiguration of the network, i.e. switchover to the redundant transmission path, can take up to 200ms. 200ms is the maximum reconfiguration time for 50 devices in the ring.
If the watchdog time of the PROFINET IO device is less than the switchover time, then it might happen that OB86 temporarily reports subrack failure/return.
Increase the watchdog time by
Increasing the update time or
Increasing the number of accepted update cycles with missing I/O data.
The watchdog time is the product of the parameters "Update time" and "Number of accepted update cycles with missing IO data". The watchdog time must be greater than 200ms to avoid module failure through redundancy switchover.
Follow the instructions below to increase the watchdog time.
Open the hardware configuration of the SIMATIC S7-300 station that is functioning as PROFINET IO controller.
Mark the PROFINET IO device in the hardware configuration. Double-click the PROFINET interface in the slot table of the PROFINET IO device to open the "Properties" dialog of the PROFINET interface.
In the "Properties" dialog of the PROFINET interface, you switch to the "IO Cycle" tab.
Set the values for the "Update time" and "Number of accepted update cycles with missing IO data" parameters so that the watchdog time is greater than 200ms.
Note A sample application of ring redundancy with the Media Redundancy Protocol (MRP) is available in Entry ID: 33696406.
Description: Remote access is made to an automation system (e.g. SIMATIC S7) via the Internet. In this case, only one controller can be reached by the remote access via port forwarding. Access to other controllers in the automation cell is via PG routing.
PG functions are used with STEP 7 to access an automation system (e.g. SIMATIC S7) in the local network from the external network. Access is made via a gateway that uses the NAT (Network Address Translation) and NAPT (Network Address Port Translation) services.
In the above-mentioned examples, the PG functions permit the following with STEP 7:
Downloading of the configuration and user program to the CPU
Monitoring of blocks and tags
The PG functions, S7 communication etc. use Port 102 (TCP).
Information on the which protocol uses which TCP port is available in Entry ID: 8970169.
In the above-mentioned applications, you set the port forwarding in the DSL Modem/Router on the plant side and in the gateway so that the messages of Port 102 from the external network are forwarded to Port 102 of the IP address of the SIMATIC S7. The IP address of the SIMATIC S7 is in the local network.
Example of port forwarding:
Remote access via Internet
using port forwarding
Access via NAT/NAPT
For the following applications, attention must be paid to the fixed external IP address of the standard DSL modem/router on the plant side and the external IP address of the gateway:
so that it is possible to monitor blocks on the SIMATIC S7 CPU online via STEP 7.
so that it is possible to download the configuration via STEP 7.
Monitor blocks You must make the following change in the hardware configuration of the SIMATIC S7 to enable monitoring of blocks on the SIMATIC S7 CPU online via STEP 7.
In the hardware configuration of the SIMATIC S7, you replace the IP address of the interface that enables access to the Internet (e.g. IE CP or integrated PN interface of the CPU) with the external IP address of the DSL modem/router on the plant side.
The changed hardware configuration is only for monitoring the blocks and must not be loaded into the CPU, because this information is stored in the project and thus the system data is changed in the project. A download changes the settings of the CPs or the CPU and thus renders further online monitoring impossible.
A download of the system data or the hardware configuration with changed IP address prevents further online monitoring via port forwarding.
Download interface No changes are made in the project when you set the download interface in STEP 7. The original IP address is retained in the project. Only the IP address of the download target is replaced by the external IP address of the DSL modem/router on the plant side.
Thus, it is also possible to download the system data and hardware configuration without the online connection being cut after the download. However, no block monitoring is possible here.
Note: With the remote access options mentioned above, the local network is not protected against unauthorized access. We therefore recommend that you use a VPN (Virtual Private Network) for remote access via the Internet. Via VPN, you can use the PG functions with STEP 7:
without changing the IP address of the Industrial Ethernet interface in the hardware configuration to monitor the blocks and
without changing the IP address of the download interfaces to download the hardware configuration or user program into the CPU.
Instructions for configuring a VPN with SCALANCE S6x and SOFTNET Security Client are available in the following entries:
Description: In this entry, we show you how to read out the current topology of the PROFINET IO system connected in the user program of an S7-300 or S7-400 CPU with integrated PN interface.
This is needed in plants where tools are used at different points in the plant, for example, and the interconnection of the PROFINET IO nodes thus changes.
You can read out the neighbor information of ports with SFB52 "RDREC" using data record number 802A (hex). In this way, you determine the topology data of the PROFINET IO nodes. You can evaluate and process this data in the user program.
A description and sample program for parameterizing the SFB52 "RDREC" are available below for downloading.
Sample program: The sample program is a STEP 7 project that contains the complete hardware configuration including the user program of an S7-300 station. The STEP 7 project is available for downloading as a ZIP file.
Extract the "PNIO_SFB52.zip" file into a separate directory. The STEP 7 project is unpacked automatically with all its subdirectories. You can then use the SIMATIC Manager to open and process the extracted STEP 7 project.
Background: CPUs with the name extension "PN/DP" have a web server. Here, you can read out data from the CPU via the Ethernet using the web browser.
The information in this entry is based on the following scenario:
You are using a computer with two network cards. The first card is connected with the company intranet and the second with the network in which the CPU is located. The company intranet is connected with the Internet only via a proxy server. A proxy server acts as a broker between the internal network (intranet) and the Internet, which calls the files from the remote web server and makes them available.
If you now enter the CPU's IP address in the browser, the request is sent to the proxy server and not to the CPU. Thus you cannot set up a connection with the CPU.
Solution: Make one of the two settings to access the CPU despite proxy server:
More information: More information on this is available in Entry ID: 2073614 "What is the connection between subnet masks and IP addresses in the IP address area, also with regard to subnetting?".
Instructions for using the web server are available in Entry ID: 12996906 section 3.3 Web Server.
Use private IP address Since the area of the private IP addresses is usually not routed in the Internet, the web browser bypasses the proxy server and queries the private (or local) address directly. Therefore, you use private (or local) addresses for the network in which the CPU is located.
Set a private IP address for the CPU (e.g. 192.168.0.4).
Set a private IP address for the network card (e.g. 192.168.0.2). The CPU and network card must be in the same network.
In this example, the CPU is accessible via the web browser at http://192.168.0.4/.
The following ranges are reserved for private networks:
Exception for proxy server If you cannot use a private (or local) IP address, you must inform the browser that this address should be accessed directly without proxy.
Enter the CPU's IP address as exception of the proxy server in the PC's web browser. You find the settings in the Internet Explorer under Tools -> Internet Options -> Connections -> LAN Settings -> Proxy Server -> Advanced.
In this example, the CPU is accessible via the (non-private) IP address http://184.108.40.206/. In this example, the IP address is 220.127.116.11 (CPU and network card must be in the same network).
You can also use wildcards, e.g. "140.0.0.*".
In this example, the CPU is accessible via the web browser at http://18.104.22.168/.
What differences are there when configuring S7 connections?
Description: In this description of how to configure S7 connections it is assumed that all the stations are in one S7 project.
Types of S7 connections: With S7 connections you differentiate between bilaterally configured and unilaterally configured S7 connections.
Bilaterally configured S7 connections You recognize bilaterally configured connections by the fact that they receive a connection ID at both endpoints. The partner ID can be identical for both connection partners, but doesn't have to be. The remote endpoint of the S7 connection created is entered automatically in the connection table on the partner side.
You can use the following communication blocks in the S7-300 or S7-400 station for data communication via bilaterally configured S7 connections:
FB/SFB14 "GET" and FB/SFB15 "PUT"
FB/SFB12 "BSEND" and FB/SFB13 "BRCV" or
FB/SFB8 "USEND" and FB/SFB9 "URCV"
Unilaterally configured S7 connections Unilaterally configured S7 connections are configured on the module that actively sets up the S7 connection.
You can use the communication blocks FB/SFB14 "GET" and FB/SFB15 "PUT" in the S7-300 or S7-400 station for data communication via unilaterally configured S7 connections. You can use these for data communication via unilaterally and bilaterally configured S7 connections. You can only use the communication blocks FB/SFB12 "BSEND" and FB/SFB13 "BRCV" and FB/SFB8 "USEND" and FB/SFB9 "URCV" for data communication via bilaterally configured S7 connections.
More information on the properties and special features of the S7 protocol and on the properties of the different S7 protocol services is available in Entry ID: 26483647.
In NetPro there is a connection table with all the configured communication connections. Unilaterally configured S7 connections have no entry in the "Partner ID" column of the connection table. This field remains empty in the connection table. No S7 connection is configured on the server and no communication blocks are called. The server is managed independently by the CPU's operating system and has resource 0x03. No system data is created for this in the connection partner.
Fig. 1: Bilaterally and unilaterally configured S7 connection
All S7 connections that have a connection ID at both connection endpoints are bilaterally configured S7 connections.
S7 connections that have no partner ID are unilaterally configured S7 connections or have been created via "unspecified" S7 connections with resource 0x03.
With bilaterally configured S7 connections you must load the configuration in both connection partners after creating the S7 connection.
With unilaterally configured S7 connections you must load only the one station in whose connection table the S7 connection is shown.
Note: In the sample S7 connection configuration given above all the stations are in one S7 project. You can also set up an S7 connection to an unspecified partner and the endpoints of these connections can be in different projects. More information on this is available in the Online Help of STEP 7:
Using the system function SFC 14 "DPRD_DAT" (read consistent data of a DP standard slave) you read out the data of a DP standard slave/PROFINET IO device. If no errors occurred during the data transfer, the data read is entered into the target area set up by RECORD. The target area must have the same length as you configured with STEP 7 for the selected module. With a DP standard slave with modular structure and with multiple DP identifications, with an SFC 14 call you can only ever access the data of one module / DP identification under the start address configured.
Using the system function SFC 15 "DPWR_DAT" (write consistent data to a DP standard slave) you transfer the data in RECORD consistently to the addressed DP standard slave/PROFINET IO device. The source area must have the same length as you configured with STEP 7 for the selected module.
With a DP standard slave with modular structure you can only access one module of the DP slave.
Maximum length and addressing of consistent user data areas on the PROFIBUS DP In the manuals listed below you will find more information about the maximum length and addressing of consistent user data areas on the PROFIBUS DP.
Maximum length and addressing of consistent user data areas on the PROFIBUS IO In the manuals listed below you will find more information about the maximum length and addressing of consistent user data areas on the PROFIBUS IO.
For communication processors (CPs) the size of the consistent area for a submodule is defined as follows.
CP 443-1 Advanced
CP 443-1 Advanced
CP 443-1 Advanced
CP 443-1 Advanced
CP 343-1 Advanced
CP 343-1 Advanced
CP 343-1 Advanced
Notes The PROFIBUS DP standard defines upper limits for the transfer of consistent user data. Current DP standard slaves keep to these upper limits. Older CPUs (<1999) have CPU-specific restrictions for the transfer of consistent user data.
The maximum length of data that these CPUs can read consistently from a DP standard slave or write consistently to a DP standard slave is given in the technical data under "DP master – user data per DP slave". With the value, more recent CPUs exceed the length of the data that a DP standard slave provides or receives.
Distributed reading and writing of consistent data (<4 bytes) is also possible without system functions SFC14 and SFC15. Which modules you can use for this is described in Entry ID 8751062.
The table below shows the access to consistent data outside the process image.
Length of data area
Consistency of data
Load / Transfer
Consistency over unit
Word Load / Word Transfer
Consistency over total length
SFC14 / SFC15
Consistency over total length
Double-word Load / Double-word Transfer
Consistency over total length
SFC14 / SFC15
Consistency over total length
Example In the example below an S7-400 CPU is used as DP master and a CP342-5 as DP slave.
The consistency area below is defined for the inputs and outputs of the DP slave:
For the outputs, 50 bytes are transferred consistently over the total length. These 50 bytes are available consistently in the process image partition 3 (PIP 3) of the S7-400 CPU and can therefore be read using load/transfer commands.
For the inputs, 20 bytes are transferred consistently over the total length. These 20 bytes are not stored in the process image or in process image partition and can only be written with the system function SFC14/15.
The operating system of the CPU transfers the data consistently during process image updating. You can access this data in the process image using the load and transfer commands.
Alternatively, with S7-400 CPUs you can use system function SFC 26 "UPDAT_PI" or SFC 27 "UPDAT_PO" at any point in the program to update the process images. However, in this case the relevant PIP may not be updated by the system. If you do not or cannot place the data in a process image, then you should use the system functions SFC14 and SFC15 for data communications.
More information about this is available in the following entries:
"Consistent data in S7-400, summary of mechanisms" - Entry ID: 11646774
"Use of Process Image Partitions in Organization Blocks" - Entry ID:18325216