Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 109766709, Entry date: 07/05/2019

What are the causes when connection to an OPC UA server fails?

  • Entry
  • Associated product(s)
When establishing a connection to an OPC UA server you should observe a number of points to make the process run smoothly.

The following common causes of error with establishment of a connection are independent of the OPC UA client and server used.

Date and time with certificate-based connections
With certificate-based authentication on an OPC UA server the valid period of the certificates is checked among other things. Here it is mandatory that the end systems have the current time. An OPC UA server responds to a time error during certificate checking with the status code "BadSecurityChecksFailed" or "BadCertificateTimeInvalid". As a solution we recommend using NTP servers ("Network Time Protocol") for time synchronization.
If this is not possible, you have to set the current time (date/time of day) manually on your end systems.

OPC UA client-server connection via NAT router
This connection attempt fails with the error message "BadCommunicationError" or "BadNotConnected".
Background: In NAT systems the IPv4 packets are manipulated by the router. This means that either the source IP ("Source NAT") or the destination IP ("Destination NAT") of a packet is replaced by an IP address configured in the router (depending on the destination port). The client and server know nothing of this process.

In the following example a failed establishment of a connection via a NAT router is explained:

Figure 1
  1. The OPC UA client sends a "GetEndpointsRequest" with the destination IP address (DNAT)

  2. The NAT router changes the destination IP of the packet to in order to route the packet to the OPC UA server.

  3. The OPC UA server generates a "GetEndpointResponse" that includes its own IP address ( among other things and sends the message back to the client via the NAT router. For the client to be able to assign the message, the router has to change the source IP address (SNAT) of the packet to

  4. The client starts to establish a connection ("OpenSecureChannel") to the IP address that is in the "GetEndpointResponse" of the server.

  5. The IP address of the response message cannot be reached directly from the client. The result is that the connection cannot be established.

In your client you implement a function that compares the IP address of the "GetEndpointRequest" with the IP address of the "GetEndpointResponse". If the IP addresses differ, the client has to replace the IP address of the "GetEndpointResponse" with the IP address of the "GetEndpointRequest". In this way the client can establish a connection using the data of the manipulated "GetEndpointResponse".

Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit