Here are the details that I have promised. There are actually 2 issues in one:

1. The client first connects to a discovery endpoint of the server, and obtains a list of the actual endpoints that we can select from (they may have different protocols, security settings etc.). Normally, all these endpoints returned by the server will have the same "domain name" as the discovery endpoint itself. For example, when accessing a server through opc.tcp://myhost.mydomain.com:4841, all the endpoints returned will be on "myhost.mydomain.com". The client then selects the best endpoint, and attempts to connect to it using the URL provided by the server for *that* particular server.

In your case, however, the server is not aware that it should be accessed through "myhost.mydomain.com", and is configured to return a local name of the machine in its endpoints. The available endpoints returned by the server then actually look something like e.g. "opc.tcp://mylocalname:4841" (I am not posting your actual data here - not sure about the confidentiality of it - can send it offline). Of course, "mylocalname" is not known outside the local network, and attempts to connect to it fail, with an error like "unknown host".

This is actually a well known situation in the OPC UA world. One solution is to configure the server so that it returns the actual host name that clients can use to connect to it. Clients can also (try to) cope with it by replacing the domain name in the endpoints returned by the server by the host name of the original discovery endpoint. We have this functionality implemented, and it can be enabled by the EnforceSameSite setting I have described. I tried to investigate why it is not enabled by default in version 5.31, but did not come to a definitive answer. We are probably going to enable it by default in version 5.32.

2. There is a second issue as well - when the host name resolution failed (in this particular scenario - with Security = None), the connection code proceeded to a second attempt (with non-null client certificate), and hanged. This means that you should have immediately received an "unknown host" exception, but instead you received a time-out exception, much later. My investigation about this currently points to a problem inside the OPC Foundation's .NET stack/SDK, and I have filed a bug report and will work within OPC Foundation to get it resolved.

Best regards

I am glad it works now. Can you please keep the access open for some time, I am doing some more tests and want to finalize my investigation.

Best regards

[Nov 4. 2014: Internet connection information provided by the client]

Dear Sir,

in order to resolve the connection problem, change the EnforceSameSite parameter in the EndpointSelectionPolicy to 'true'; the affected piece in your source code will then look like this:

I will post more detailed explanation about the issue later.

Best regards

I agree with you that the fact that UA Sample Client works is a bit bothering. For this reason. I would like to get to the true reason of the problem as well.

Yes, there may be differences. For example, the UA Sample Client is probably not making the first call to CreateSession with no client certificate - because, I believe, the ability to omit the certificates with no security has been added in a later version of the UA spec, for certain very limited, embedded UA server profiles. This may even confuse the server, or it may not be correctly handled in the client side of the stack - there is no absolute certainty at this point.

As to whether our client is more "relaxed" or "strict", we find ourselves between two stones here. Ideally we would like to be as relaxed as possible. But we decided to certify our OPC client for compliance, and it has forced us to implement checks that are more strict than we ever wanted. The OPC Sample Client is *not* compliant. We have, however, resolved this by having configurable settings, and defaulting to a reasonably relaxed configuration. Whoever wants the full compliance can switch to it easily. Therefore you (and we) should (ideally) be OK in this matter, with the QuickOPC product as it comes out of the box.

If we get an ability to connect to the server, we would be able to debug into finer details, and either find a problem on our side, OR provide a "definitive" log (such as full TCP trace) proving a problem on the server side.

For a test connection from our side, our outbound IP would be 88.146.100.93 (or even better, 88.146.100.80/28).

There is one more option I am thinking of: The OPC Foundation provides a tool (intended for compliance testing primarily) that can serve as an analyzer, catching the communication between the client and the server. I will need to check whether it supports this particular scenario, and whether we (as OPC Foundation Members) would be allowed to pass the tool onto you for this particular test case. In case the answer is positive, would you be willing to deploy the tool and test with it?

Also, next month we are going to the annual OPC Interoperability Workshop (in Nuremberg) where we will test with a large number of servers. We do this every year anyway. Obviously this gives a chance to catch the same issue if the server appears on the floor, or a server that is built using the same technology/codebase. Can you reveal which OPC toolkit has been used to build the server (or which OPC UA stack, if no toolkit was involved)?

The input argument to DiscoverServer is not an URI, it is just a host name. See www.opclabs.com/files/onlinedocs/QuickOpc/Latest/Reference/Q...380-9151-c4d4-ce79a1b5153e.htm . In your example, it should be "my.discoveryserver.it".

Regarding the connection problem, I have explained our position earlier already. The logs indicate a server problem; with approx. 90% likeliness, it is a server problem, the remaining 10% could point to a client problem. But we have done our analysis and it looks like that the call is blocked on the server. The fact that the server works in one situation is not a proof that it is bug-less. The "ball" is on the server developer's side now. Either they should look into what is happening on the server and supply their own logs, or you need to provide us with remote access to the server, so that we can at least reproduce the problem ourselves. Without this, we cannot make further on this issue.

Even if the problem was on the client side, it would be in the .NET stack that we take from OPC Foundation, so we have only quite limited control over what happens inside. QuickOPC version 5.31 is built with UA stack version 1.02.334.5. The upcoming QuickOPC 5.32 will be built with the newest version of the UA stack (1.02.334.6), so if we could reproduce the problem, we would also be able to try out the newest stack version.

Hello,

please post here the statement you use to call DiscoverServers, including the argument value.

Thank you