©2023-2026 Frank Pfattheicher   •  Privacy   •  Imprint  
 Home   Explorer   Siemens   Info   

Siemens - STEP 7 - TIA Portal

Sources: Siemens Industry Support

If you want to establish Modbus communication with a Siemens controller,
you will find some useful information here.

Client and server interfaces can be implemented with Modbus TCP and RTU.
For this purpose, the blocks MB_CLIENT and MB_SERVER are available for Modbus TCP, and Modbus_Master, Modbus_Slave, and Modbus_Comm_Load for Modbus RTU.

 

Modbus TCP

Server

The MB_SERVER block provides a Modbus server very easily.
Only a data block for data exchange (reading and writing) needs to be provided.

💡 Modbus does not provide permissions for write and read operations. Therefore, only data that may be read should be provided in the corresponding data block. Data that is written and then further used in the controller should, for security reasons, not be used directly; instead, it should be checked by the PLC program before use and stored separately.

Even if Siemens claims otherwise: The server can only be accessed by ONE client.
If a connection exists, any additional connection will be rejected.
The only option is to start another server on a different IP port.

Client

The MB_CLIENT block is used for this.

Error codes

Each block provides "Detailed status information of the instruction" via the STATUS output.

In practice, this is not quite so simple, because the blocks internally use additional blocks.
  MB_SERVER: TCON, TSEND, TRCV, TDIAG, TRESET, TDISCON, TDIAG_Status
  MB_CLIENT: TCON, TDISCON, TSEND, TRECEIVE, TRESET, TDIAG, TDIAG_Status

Therefore, depending on the problem, the STATUS values of these blocks are also returned!

The meaning of the error codes can be found in the documentation of the corresponding communication instruction.

🛈 Note: Communication errors when sending or receiving data
If a communication error occurs when sending or receiving data (80C4 (Temporary communications error. The specified connection is temporarily down.), 80C5 (Remote partner closed connection actively.), 80A1 (The specified connection is disconnected or is not yet established.)), the existing connection is terminated.
This also means that you will see all STATUS values returned during connection termination, and only after the connection has been terminated will the STATUS code be output that indicates the cause of the connection termination.
Example: If a temporary communication error occurs when receiving data, STATUS 7003 (ERROR=false) is output first and then 80C4 (ERROR=true).

Status information

STATUS
(hex)		 Description
0000 Instruction executed without errors
0001 Connection established
0003 Connection termination completed
7000 No job active and no connection established (REQ=0, DISCONNECT=1)
7001 Connection establishment initiated
7002 Intermediate call, connection is being established
7003 Connection is being terminated
7004 Connection established and monitored, no job processing active
7005 Data is being sent
7006 Data is being received

Status information

Here, the additional problem is that the cause may be local or at the remote endpoint.

STATUS
(hex)		 local /
remote		 Modbus
Exception		 Description
80C8 local - No response from the server within the defined time period. Check the connection to the Modbus server. This error is only reported after the configured retry attempts have been completed. If the "MB_CLIENT" instruction does not receive a response with the originally transmitted transaction ID (see static variable MB_TRANSACTION_ID) within the defined time period, this error code is output.
8380 local - The received Modbus frame does not have the correct format, or too few bytes were received.
8381 remote 01 Function code is not supported.
8382 local -
  • The length of the Modbus frame in the frame header does not match the number of received bytes
  • The number of bytes does not match the actually transmitted bytes (functions 1-4 only). This is the case, for example, if "MB_CLIENT" requests an odd number of words, but "MB_SERVER" always sends an even number of words
  • The start address in the received frame does not match the stored start address (functions 5, 6, 15, 16)
  • The number of words does not match the number of words actually transmitted (functions 15 and 16)
8382 remote 03 Invalid length specification in the received Modbus frame. Check the server side.
8383 local - Error reading or writing the data, or access outside the address range of MB_DATA_PTR.
8383 remote 02 Error reading or writing the data, or access outside the server address range.
8384 local - Invalid exception code received.
  • A different data value was received than originally sent by the client (functions 5, 6 and 8)
  • Invalid status value received (function 11)
8384 remote 03 Error in the data value for function 5.
8385 local -
  • Diagnostic code not supported
  • A different subfunction code was received than originally sent by the client (function 8)
8385 remote 03 Diagnostic code not supported
8386 local - Received function code does not match the one originally sent.
8387 local - The protocol ID of the Modbus TCP frame received from the server is not equal to "0".
8388 local - The Modbus server sent a different data length than requested. This error occurs only when using Modbus functions 5, 6, 15, or 16.

Parameter errors

STATUS
(hex)		 Description
80B6 Invalid connection type, only TCP connections are supported.
80BB Invalid value for parameter ActiveEstablished (identifier for the type of connection establishment, see parameter CONNECT (S7-1200, S7-1500)):
  • On the server side, only passive connection establishment is permitted (ActiveEstablished = FALSE)
  • On the client side, only active connection establishment is permitted (ActiveEstablished = TRUE)
8188 Invalid value for parameter MB_MODE.
8189 Invalid addressing of the data in parameter MB_DATA_ADDR.
818A Invalid data length in parameter MB_DATA_LEN.
818B Invalid pointer in parameter MB_DATA_PTR. Also check the values of parameters MB_DATA_ADDR and MB_DATA_LEN.
818C Time error in parameter BLOCKED_PROC_TIMEOUT or RCV_TIMEOUT (see static variables of the instruction). BLOCKED_PROC_TIMEOUT and RCV_TIMEOUT must be between 0.5 s and 55 s.
8200
  • Another Modbus request is currently being processed via the port
  • Another instance of MB_CLIENT with the same connection parameters is processing an already existing Modbus request

TCP connection

TSEND_C: Establish connection and send data
ERROR STATUS
(hex)		 Description
0 0000 Send job completed without errors.
0 0001 Communication connection established.
0 0003 Communication connection established.
0 7000 No send job processing active, no communication connection established.
0 7001 First call when establishing a connection.
0 7002 Connection is currently being established (REQ irrelevant)
0 7003 Communication connection is being terminated.
0 7004 Communication connection is established and monitored. No send job processing active.
0 7005 Sending data in progress.
1 80A1
  • Connection or port is already in use by the user.
  • Communication error:
    • The specified connection has not yet been established.
    • The specified connection is currently being terminated. Transmission over this connection is not possible.
    • The interface is being reinitialized.
1 80A3 The subordinate T_DIAG instruction reported that the connection was terminated.
1 80A4 The IP address of the remote endpoint of the connection is invalid, or it matches the IP address of the local partner.
1 80A7 Communication error: You called the instruction with COM_RST = 1 before the send job was completed.
1 80AA A connection establishment with the same connection ID is currently in progress by another block. Please repeat the job with another positive edge at parameter REQ.
1 80B3
  • When using the UDP protocol variant, parameter ADDR contains no data.
  • Error in the connection description
  • The local port is already being used in another connection description.
1 80B4 When using protocol variant ISO on TCP (connection_type = B#16#12) for passive connection establishment (active_est = FALSE), one or both of the following conditions were violated:
  • local_tsap_id_len >= B#16#02
  • local_tsap_id[1] = B#16#E0
1 80B5 For connection type 13 = UDP, only passive connection establishment is permitted.
1 80B6 Parameterization error in parameter connection_type of the data block for the connection description.
1 80B7
  • For system data type TCON_Param: Error in one of the following parameters of the data block for the connection description: block_length, local_tsap_id_len, rem_subnet_id_len, rem_staddr_len, rem_tsap_id_len, next_staddr_len.
  • For system data types TCON_IP_V4 and TCON_IP_RFC: IP address of the partner endpoint was set to 0.0.0.0.
1 8085 Parameter LEN is greater than the maximum permitted value.
1 8086 The parameter ID within parameter CONNECT is outside the permitted range.
1 8087 Maximum number of connections reached, no further connection possible.
1 8088 The value at parameter LEN does not match the receive area specified at parameter DATA.
1 8089
  • The parameter CONNECT does not point to a data block.
  • The parameter CONNECT does not point to a connection description.
  • The manually created connection description has an incorrect structure for the selected connection type.
1 8091 Maximum nesting depth exceeded.
1 809A The parameter CONNECT points to a field that does not match the length of the connection description.
1 809B InterfaceID is invalid:
  • It does not point to a local CPU interface or a CP.
  • It must not have the value 0 when using connection parameterization.
  • It must not have the value 0 in the TCON_xxx structure used. See TCON: Establish communication connection
  • TCON_QDN or TCON_QDN_SEC requires a configured DNS server.
1 80C3
  • All connection resources are occupied.
  • A block with this ID is already being processed in another priority group.
1 80C4 Temporary communication error:
  • The connection cannot currently be established.
  • The connection cannot be established because firewalls on the connection path have not enabled the required ports.
  • The interface is currently receiving new parameters, or the connection is currently being established.
  • The configured connection is currently being removed by a TDISCON instruction.
  • The connection in use is currently being terminated by a call with COM_RST = 1.
  • Temporarily no receive resources are available at the connection partner. The connection partner is not ready to receive.
1 80C5
  • Connection terminated by the communication partner.
  • LSAP of the remote connection partner not enabled
1 80C6 Network error:
  • Remote partner cannot be reached.
  • Physical interruption on PROFIBUS
1 8189 Invalid data address: Select a suitable value for the data address at the DATA_ADDR parameter. See description Modbus_Master (Page 125) in the Info system.
1 818A Invalid length
1 818B Invalid value for DATA_PTR
1 818C Interconnection error of the DATA_PTR parameter
1 818D The area addressed by DATA_PTR is longer than the DB, or the area addressed is too small for the number of data bytes to be read or written.
1 8280 Negative acknowledgment when reading module
1 8281 Negative acknowledgment when writing module
1 8722 Parameter CONNECT: Source area is invalid. The area does not exist in the DB.
1 873A Parameter CONNECT: Access to the connection description is not possible (e.g. because the DB is not available).
1 877F Parameter CONNECT: Internal error.
1 8822 Parameter DATA: Source area invalid, area does not exist in DB.
1 8824 Parameter DATA: Area error in the VARIANT pointer.
1 8832 Parameter DATA: DB number is too large.
1 883A Parameter DATA: No access to the data area, for example because the data block does not exist.
1 887F Parameter DATA: Internal error, e.g. invalid VARIANT reference.
1 893A Parameter ADDR: Access to the send area is not possible (e.g. because the DB is not available).