Main Content

Troubleshooting OPC UA Issues

If you are unable to establish a connection to an OPC UA server, the following sections might help you to identify and solve problems with client and server connectivity.

Server Discovery Issues

You may get this warning while attempting to discover available OPC UA server(s) on a machine using opcuaserverinfo("localhost").

Warning: No OPC UA Servers found

The possible reasons for the warning and the corresponding solutions to resolve the warning are as follows.

  • If the OPC UA server(s) is not registered to a Local Discovery Service (LDS), you can resolve the issue by downloading and installing an LDS and registering your OPC UA server with it. For information, see Install an OPC UA Simulation Server for OPC UA Examples.

  • If the OPC UA server application instance is rejected by the LDS server, you can trust the certificate by moving the server certificate to the LDS trust store. Ensure that the moved file is not retained in the reject store.

    • Path to default reject store folder: C:\ProgramData\OPC Foundation\UA\pki\rejected\certs

    • Path to default trust store folder: C:\ProgramData\OPC Foundation\UA\pki\trusted\certs

If you change the LDS settings, you may have to restart the LDS through the Windows Services console. The display name of the LDS is OPC UA Local Discovery Server.

For additional information, you can refer to the LDS log file located in C:\ProgramData\OPC Foundation\UA\Discovery\opcualds.log. For detailed logging information, you can change the log level and many other parameters using the ualds.ini config file.

Security Verification Issues

You may get this error while attempting to connect your OPC UA client with a server using connect.

An error occurred verifying security

The possible reasons for the error and the corresponding solutions to resolve the error are as follows.

  • The error can occur when X.509 certificates used for authentication are expired, revoked, or there is a mismatch between the client and server certificates. To fix this error, ensure that the certificates used are valid, trusted, and properly configured on the client as well as server.

  • The error can occur when the certificates used are not trusted by the server. To resolve this issue, mark the MATLAB application instance certificate as trusted.

    • If the server has a UI, you can directly select the MATLAB application instance certificate and mark it as trusted. Complete these steps to mark a certificate as trusted in a Prosys Simulation Server.

      1. Go to Certificates tab in the server UI

      2. Right-click MATLAB OPC Toolbox certificate

      3. Select Trust

      certificates tab

    • If the server does not have a UI, you can mark the certificate as trusted by manually copying the user identity or application instance certificates from the rejected to trusted folder of the server certificate store.

      This table lists the certificate store paths for common OPC UA servers.

      ServerApplication Instance Certificate StoreUser Certificate Store
      ProsysC:\Users\<username>\.prosysopc\prosys-opc-ua-simulation-server\PKI\CAC:\Users\<username>\.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA
      UA CppC:\ProgramData\UnifiedAutomation\UaCPPServer\pkiserverC:\ProgramData\UnifiedAutomation\UaCPPServer\pkiuser

  • The error can occur when the client and server have different security policies configured, and they are unable to negotiate a compatible security policy during the handshake process. To resolve this issue, confirm that the configured security policies in the client and server are compatible. You can also adjust the security policies if necessary.

  • The error can occur because in the security settings of either the client or the server are incorrectly configured. To fix the configuration, check that the security settings on both the client and server match. Avoid using incorrect encryption algorithms, invalid security modes, or unsupported security features.

  • If the error occurs due to network connectivity, ensure that there are no network issues or firewalls blocking communication between the client and server.

For additional information about the specific cause of the security verification error, you can review the server and client logs.

Unable to Validate User Identity Token

You may get this error while attempting to connect to an OPC UA server using the username or password or the user certificate identity tokens.

The user identity token is valid but the server has rejected it

The possible reasons for the error and the corresponding solutions to resolve the error are as follows.

  • The validation issue can occur due to an incorrect username or password, expired or revoked user credentials, insufficient privileges, or incompatible security settings between the client and server. To resolve this issue:

    • Verify that the user credentials are correct.

    • Ensure that the user has the necessary permissions to access the requested resources.

    • Confirm that the security settings on the server align with the client expectations.

    To perform these troubleshooting steps while using the Prosys Simulation Server, select the Users tab in the server UI and follow the relevant steps.

    • Enable the required user authentication methods such as Anonymous, Username & Password, and Certificate.

    • If you connect via the Username & Password method, add the user to the Users list

    users tab

    • If you connect via an X509 user certificate, and your user identity token was rejected, consult the server log to determine the reason.

Unable to Retrieve Endpoint

You may get this error while attempting to connect your OPC UA client with a server using connect.

The hostname could not be resolved

Or you may get this warning while attempting to query an OPC UA server using opcuaserverinfo.

Warning: Some endpoints could not be retrieved

This issue occurs when a client which can connect to multiple interfaces cannot reach the endpoint mentioned in the OPC UA server certificates. According to the OPC standards, it is the responsibility of the server to return all discoverable endpoints to a calling client. To fix the issue:

  • Register the hostname of the server locally with the network path used to connect to the server. If the DHCP query is for a static IP, add the IP address and hostname to the Windows\System32\Drivers\etc\hosts file in the local client machine.

  • For a long-term solution, ensure that the server provides endpoints that are accessible by all available paths to the server. When the server is in a DHCP environment, it must have a static IP on the DHCP network, and the hostname must resolve to that IP address when using that route to the server. Your IT admins can assist with this process.

Time Out Error

You may get this error while attempting to discover, connect to or communicate with an OPC UA server.

Operation timed out

The possible reasons for the error and the corresponding solutions to resolve the error are as follows.

  • The error can occur when the operation exceeds the timeout duration due to network congestion, packet loss, or a slow network connection. To avoid it, check network connectivity and ensure that the network connection between the client and server is stable and free from any issues causing delays or packet loss.

  • The error can occur when the server is heavily loaded or experiences high demand. To circumvent the server overload, monitor the OPC UA server resource usage and optimize the performance or allocate additional resources to handle the load.

  • The error can occur when the OPC UA server or LDS is not running or experiencing connectivity issues. To verify server availability, check for an LDS in the local machine and make sure that it is running. In case of missing LDS, install and set up the LDS server and register your OPC UA server with the LDS. For information, see Install an OPC UA Simulation Server for OPC UA Examples.

  • If the error occurs during node browsing, check for operation limits on your server and reduce the number of nodes per browse. In the Prosys Simulation Server, you can view the operation limit in the MaxNodesPerRead parameter.

For additional information on packet loss, use Wireshark to monitor the data packets being exchanged between MATLAB (on the host PC) and the OPC UA server (local/remote).

  1. Check for Response packet sent back from the server for every Request packet sent from MATLAB to the server.

  2. If any Response packet is missing, check the OPC UA server logs to see for potential causes of no response from the server.

Unable to Match URI

You may get this error while trying to connect to an OPC UA server.

The URI specified in the Application Description does not match the URI in the Certificate

The possible reasons for the error and the corresponding solutions to resolve the error are as follows.

  • The error can occur when the URI specified in the application description does not match the application or product URI configured in the certificate. To fix the issue, verify the configuration and correct any mismatched data. The mismatched data can be a typo, an additional space, or an incorrectly configured application instance certificate.

  • The error can occur due to URI mismatch when the URI in the certificate does not match the URI expected by the client. To fix the issue, generate a new certificate with the updated URI and replace the old certificate with the new one. The mismatch may be due to an outdated certificate or because the server URI changed but was not updated in the certificate.

  • The error can occur when the OPC UA communication is passing through a network proxy or firewall. To fix the issue, check the network settings and review its configuration to ensure that the URI in the certificate is not modified or rewritten. You can also adjust the settings if necessary to allow the correct URI to pass through.