BACnet/SC troubleshooting - Metasys - LIT-12013959 - 13.0

BACnet/SC Workflow Technical Bulletin

Brand
Metasys
Document type
Technical Bulletin
Document number
LIT-12013959
Version
13.0
Revision date
2023-09-29
Product status
Active
Language
English
The following table outlines the error that you may encounter when you import certificates.
Table 1. Import error
Error message Description with resolution
The certificate subject does not match the CSR metadata

You get this import error under the following circumstances:

You generate a CSR, submit the .zip to get the certificates signed, and produce the .zip file with the operational certificates based on the CSRs. In the meantime, however, someone else requests a new CSR by selecting Overwrite during the CSR process. The first CSRs and the operational certificates based on the first CSRs are now invalid and if you try to import them, they do not match the CSR metadata and you get this error.

To resolve this, submit the newly generated CSRs for signature and import them. Alternatively, if the user did not download the CSRs, generate the CSRs again, submit the new CSRs for signature, and then import them.

The device was not found.

The site configuration database (XMS) is missing the device MAC data of newly added devices, so the import of BACnet/SC certificates fails.

To resolve this, issue a Sync Engine command or Archive command to the engine after discovery, then request the BACnet/SC certificates and complete the signing and import process.

The following table outlines the errors that you may encounter when you change the BACnet/IP communication mode of a device.
Table 2. Communication mode errors
Device Change Error message Required action
IP equipment controller Ethernet IP Only Mode to Secure Connect Only Mode Certificate Missing Get a certificate for the device.
Certificate Expired Get a certificate for the device.
Primary Hub Not Defined Define an SC Primary Hub.
BACnet/SC must be Enabled on Supervisory Device Set Secure Connect Only Mode or Dual SC and IP Mode for the supervisory device.
No certificate exists for this device Wait about 30 seconds after the certificate import before you set the communication mode.
Secure Connect Only Mode to Ethernet IP Only Mode BACnet/IP must be Enabled on Supervisory Device Set Ethernet IP Only Mode or Dual SC and IP Mode for the supervisory device.
OAS, NAE85, LCS85, SNE, SNC, NAE55xx-3x Ethernet IP Only Mode to Secure Connect Only Mode Needs Certificate Get a certificate for the device.
Primary Hub Not Defined Define an SC Primary Hub.
No certificate exists for this device Wait about 30 seconds after the certificate import before you set the communication mode.
Ethernet IP Only Mode to Dual SC and IP Mode Needs Certificate Get a certificate for the device.
Primary Hub Not Defined Define an SC Primary Hub.
No certificate exists for this device Wait about 30 seconds after the certificate import before you set the communication mode.
ADS, ADX, OAS, NAE85, and LCS85 Secure Connect Only Mode to Secure Connect Only Mode Server IP Communication mode cannot be changed in Metasys UI. To enable BACnet/SC hub capabilities on the server, you need to license the BACnet/Sc feature in Software Manager. The Server can only support Secure Connect Only Mode and is already in that mode. You do not have to take any action on licensing in this case.

The following table outlines errors that you may encounter when you use BACnet/SC in the field:

Table 3. BACnet/SC troubleshooting
Error or error message Description with resolution
The IP controllers' communication mode switches back to Ethernet IP Only Mode after you set it to Secure Connect Only Mode.

Review the settings for Inbound and Outbound Firewall rules​.

See Firewall rules for BACnet/SC communication for more details.

Other possible resolution: Review the URIs for the Primary and Failover Hubs. Ensure that the Primary or Failover Hub is online and in Secure Connect Only Mode.

Controller Hub URI does not update when engine is demoted under a Site Director.

When devices are in Secure Connect Only Mode, they need to have a direct connection or be connected to the same Hub function to communicate. When you demote or promote an engine, you switch the Hub function that the engine is supposed to connect to and the device also restarts. An engine restart disconnects all Websocket connections. When the engine turns on, it gets the new site settings and tries to forward them to the controller first. As the engine is not connected to a Hub function and does not yet have any Websocket connections, the engine cannot send the new settings to the controller, which is still connected to the old Hub function.

To ensure that the BACnet/SC site settings can be propagated to all devices whenever you change the Site Director, all affected devices should be set to Ethernet IP Only Mode or Dual SC and IP Mode.

If a Site Director change occurs while all devices are in Secure Connect Only Mode, apply the following workarounds to recover the devices:

Workaround 1:
  1. Promote the engine.
  2. Change the engine's site settings to use the old site settings, to match the controllers' site settings.
  3. When the engine is connected to the Hub function, change the site settings as needed.
  4. The new site settings are automatically propagated to all controllers.
Workaround 2:
  1. Change the engine's Use Site Settings to False in the Detail widget of the SC Network Port object and archive.
  2. Promote the engine.
  3. Wait for the engine to restart and connect to the Primary Hub and wait for the controllers to come online.
  4. Change the engine's Use Site Settings to True.
  5. When the engine is connected to the Hub function, change the site settings as needed.
  6. The new Secure Connect site settings of the new Site Director are automatically propagated to the engine and all controllers.
A very large amount of COVs are generated. You can see this by viewing the Primary Hub URI of the Field Device Mapper on one of the engines. Also, if you use Wireshark capturing, you can see a large amount of traffic and possibly even some dropped packets. When you map an equipment controller, both IP and MS/TP, under a BACnet/IP Integration on a device that can be a hub, and then map that same equipment controller on a different device that can be a hub, you may see over 500 COVs per minute. This issue occurs only if the engines are on different sites with different settings for the primary or failover hub. Each site is trying to distribute its unique settings to the equipment controller, so it changes back and forth constantly. Do not map an equipment controller to multiple engines. You could damage an equipment controller by writing to the serial flash chip too much in a short period of time.