MindSphere Remote Services Troubleshooting¶
This section provides tips and tricks for guiding users towards resolution of setup of communication issues.
- MRS was designed to deliver network-to-network access to customer-owned apps, that communicate via IP-based protocols (OSI layer 3), but it does not comprise any apps using the provided access. For instance, if Remote Login protocols such as RDP or VNC are going to be used, the required client and server apps are typically provided by the Operating Systems of the Service Device (hosting the Service Endpoint) and a corresponding Device (hosting the Device Endpoint), where RDP is typically delivered with Windows®. In a similar way, the user would provide engineering tools or other apps, that want to integrate across network boundaries.
- The download package of the Service Endpoint contains a Windows® 10 driver (installer file
MRSTransparentProxy.msi) for Proxy-Unaware protocol. This must be installed to enable remote engineering via Proxy-Unaware protocol of the MRS Engineering Option available on Windows® 10 based Service Devices.
- MindSphere release notes cover MRS and inform about recommended or validated hardware and software configurations such as Operating Systems or suggested device characteristics.
- Download of Service Endpoints and Device Endpoints is subject to export control (ECC). Please ensure, that the public IP address of a computer initiating an Endpoint download must match the country of the user operating the download - using VPNs might have an impact here by relocating a user's IP address to another country.
- Downloaded Service Endpoints have individual configurations, that bind them to a particular MindSphere tenant and users. Thus, they cannot be shared.
- To establish tunnel-based network-to-network connectivity, there must be MRS-compliant Endpoints at either end. Please ensure, that Service Endpoints and Device Endpoints are up and running and that your network is configured appropriately enabling them to connect to MindSphere as outlined below.
- MRS applies Fine-Grained Access Control and enforces a MRS-specific role model as outlined in section Concepts Used in MRS. Thus users typically may use only certain sub-organizations or sites of the MRS device tree. If certain functionalities seem to be unusable or not even visible, please check your access rights or have them checked by an administrator.
- Please ensure, that an administrator granted your user account with all necessary access rights and roles required to perform a particular operation as per your MindSphere tenant's or its owner's policies. This implies, that only those users, who have the required access rights, may perform certain operations such as deleting a particular Service Asset from a particular Site.
- Users having multiple roles, may explicitely switch between them, because only one role will be active at a time to avoid unintended tampering or changes.
- If Service Endpoints are used on a computer connecting to the Internet via VPN, then the geo-location of that PC's public IP address might be different from the registered physical geo-location of the PC and its user. That impacts the behavior of certain functions such as the download of Device Endpoints, because the user's registered physical geo-location and the IP-addresses' geo-location do not match. In such cases either deactivate the VPN or adapt the user's geo-location to the geo-location of the public VPN IP address by means of MRS user management. Public services such as
https://WhatIsMyIP.commay help with determining the geo-location of a PC's public IP address.
- Please ensure that network and firewall setups do permit tunnel-based connections to MindSpere Remote Services. Further details are given in section Appendix for Experts.
- For native Remote Login (not using a browser) and all custom connections using Remote Engineering Option it is necessary to launch the Service Endpoint before issuing any connection requests to Service Assets via the user interface. Connection Requests also demand targeted Device Endpoints to be up and running.
- When launching a Service Endpoint on Windows® then Powershell should be used instead of the Command Prompt. When using the Command Prompt press "Return" a few times to ensure that the Endpoint starts.
- MRS standard (supporting Remote Engineering): please match the targeted remote web server's protocol (HTTP vs. HTTPS) when using "Web Application".
- Protocol Applications maybe bound to certain devices and users. Setup of Protocol Applications must match required grants, which are needed to access Devices at a particular site. For instance, a Protocol Appliation might have been configured for site Istanbul, but you try to use it for site Munich as well.
- In case of Service or Device Endpoints not connecting to MindSphere starting the respective Endpoint in diagnostic mode via
mrs-client –-diagnosewill give first indications on potential network configuration issues. After doing so please restart the client in regular mode.
- For network communication with MindSphere Remote Services (MRS) backend, the Operating System (OS) hosting the MRS Endpoint (Service or Device Endpoint) needs to support TLS1.2. Related to that, the Operating System (OS) hosting the MRS Endpoint (Service or Device Endpoint) needs to support OpenSSL libraries with version 1.0.1 or later. The reason is, that the MRS Endpoint has a dependency on OpenSSL dynamic link libraries (DLLs). OpenSSL is a "robust, commercial-grade, full-featured toolkit for general-purpose cryptography and secure communication." (https://www.openssl.org/)
- For proper symbolic name resolution (Domain Name Service (DNS)), please ensure that network nodes hosting MRS Endpoints (Service or Device Endpoint) are configured with appropriate name servers (DNS servers). Please check DNS server settings in Operating System (OS) settings.
IPsec router issues¶
- If IPsec routers are being used, the MRS public IPsec endpoint must be reachable via the firewall - please obtain its IP address from the section on Advanced Connections.
- If an IPsec tunnel is not established with your given tunnel configuration, then please check if your router's IPsec parameters match with the ones configured in MRS. Also, check if the phase 1 lifetime value is set to 1440 hours. If all these parameters are matching, check if the outbound ports/protocols UDP 500, 4500 and IP 50 are opened on the Internet access/firewall.
- If an IPsec tunnel is successfully established, and only the counter for sending messages is increasing but not the one for received messages, you might check if a route or a gateway is configured to point to the router on your target system. If yes, also check if used TCP/UDP port is enabled in the firewall rules of the target device.
- In case of handshake failures after the configuration of your DDNS update, you might have to import and use valid certificates.
- In case registered devices in a secondary Device Network are not being displayed in the device table, please expand the IPSec router node to view them.
- If an existing IPSec connection is lost, it could be re-established by opening the IPSec router configuration page and then setting the router's state first to "under construction" and then to "complete".
- IPSec routers in Device Networks must have a static IP address. In case these routers would use dynamic IP addresses (e.g. via DHCP or NAT), the tunnels might have to be re-established manually after each address change.
Any questions left?
Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.
Last update: November 18, 2022