IPSecure-Router KNX binding ONLINE until I enable another thing

Add-ons Bindings
, , ,
1

Hello,

I am new to OpenHAB. I have a new KNX installation at home that I configured myself in ETS6.
I am connecting to my installation through a Theben IPsecure-Router.
I understand that this feature is experimental and, by reading the posts I found about it, that not a lot owns a secure router.
I am fine about testing it and giving feedbacks on those recent development but any help to diagnostic issues would be welcomed.
I am running openhabian on a Raspberry 4 in 32bits. My version of openhab is 3.4.4.
I configured the router through the UI.

UID: knx:ip:712968f0b8
label: IPsecure-Router
thingTypeUID: knx:ip
configuration:
readRetriesLimit: 3
tunnelUserPassword: // the commissioning password I find in the IP tab of my router in knx
ipAddress: 224.0.23.12 // multicast address
routerBackboneKey: // from the report as documented
type: SECUREROUTER
localSourceAddr: 1.1.0 //address of the router device in ETS
readingPause: 50
tunnelDeviceAuthentication: // the auth code I find in the IP tab of my router in knx
portNumber: 3671
useNAT: false
localIp: 192.168.178.23 // IP of the router on my localnetwork
autoReconnectPeriod: 60
responseTimeout: 10
location: Tableau

ipsecure-router-ets
ipsecure-router-ets3833Ă—785 295 KB

I have already tried different configurations but this one makes the most sense to me. Most of the other configurations (keeping the right backbone key) I tried gave the same result.

I see my IPSecure router online until I try to add another device. When I try to activate the other device the status of this device become :

OFFLINE

COMMUNICATION_ERROR

Link closed, cannot communicate (KNXLinkClosedException, link closed, connection closed)

I have tried with other devices on different addresses and the result is exactly the same.

My router switch to status:
OFFLINE

COMMUNICATION_ERROR

communication failure

10:35:14.238 [INFO ] [hab.event.ThingStatusInfoChangedEvent] - Thing 'knx:device:712968f0b8:8f2e0858e0' changed from UNINITIALIZED (DISABLED) to INITIALIZING
10:35:14.257 [INFO ] [hab.event.ThingStatusInfoChangedEvent] - Thing 'knx:device:712968f0b8:8f2e0858e0' changed from INITIALIZING to UNKNOWN
10:35:17.261 [ERROR] [nxnetip.KNX/IP đź”’ Routing 224.0.23.12] - close connection - communication failure
java.nio.channels.AsynchronousCloseException: null
        at java.nio.channels.spi.AbstractInterruptibleChannel.end(AbstractInterruptibleChannel.java:202) ~[?:?]
        at sun.nio.ch.DatagramChannelImpl.endWrite(DatagramChannelImpl.java:696) ~[?:?]
        at sun.nio.ch.DatagramChannelImpl.send(DatagramChannelImpl.java:536) ~[?:?]
        at tuwien.auto.calimero.knxnetip.SecureRouting.send(SecureRouting.java:166) ~[?:?]
        at tuwien.auto.calimero.knxnetip.ConnectionBase.send(ConnectionBase.java:231) ~[?:?]
        at tuwien.auto.calimero.knxnetip.KNXnetIPRouting.send(KNXnetIPRouting.java:214) ~[?:?]
        at tuwien.auto.calimero.link.KNXNetworkLinkIP.onSend(KNXNetworkLinkIP.java:423) ~[?:?]
        at tuwien.auto.calimero.link.AbstractLink.send(AbstractLink.java:385) ~[?:?]
        at tuwien.auto.calimero.link.KNXNetworkLinkIP.sendRequestWait(KNXNetworkLinkIP.java:402) ~[?:?]
        at tuwien.auto.calimero.mgmt.TransportLayerImpl.connect(TransportLayerImpl.java:314) ~[?:?]
        at tuwien.auto.calimero.mgmt.TransportLayerImpl.sendData(TransportLayerImpl.java:333) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementClientImpl.send(ManagementClientImpl.java:1275) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementClientImpl.send(ManagementClientImpl.java:1259) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementClientImpl.sendWait2(ManagementClientImpl.java:1295) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementClientImpl.readDeviceDesc(ManagementClientImpl.java:595) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementProceduresImpl.isAddressOccupied(ManagementProceduresImpl.java:391) ~[?:?]
        at org.openhab.binding.knx.internal.client.AbstractKNXClient.isReachable(AbstractKNXClient.java:435) ~[?:?]
        at org.openhab.binding.knx.internal.handler.AbstractKNXThingHandler.pollDeviceStatus(AbstractKNXThingHandler.java:148) ~[?:?]
        at org.openhab.binding.knx.internal.handler.AbstractKNXThingHandler.lambda$1(AbstractKNXThingHandler.java:190) ~[?:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) [?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:829) [?:?]
10:35:17.296 [INFO ] [rocess.communication 224.0.23.12:3671] - attached link was closed (communication failure)
10:35:17.303 [INFO ] [hab.event.ThingStatusInfoChangedEvent] - Thing 'knx:ip:712968f0b8' changed from ONLINE to OFFLINE (COMMUNICATION_ERROR): communication failure
10:35:17.309 [INFO ] [hab.event.ThingStatusInfoChangedEvent] - Thing 'knx:device:712968f0b8:8f2e0858e0' changed from UNKNOWN to OFFLINE (BRIDGE_OFFLINE)
10:35:17.308 [ERROR] [calimero.link.224.0.23.12:3671       ] - send error, closing link
tuwien.auto.calimero.knxnetip.KNXConnectionClosedException: connection closed
        at tuwien.auto.calimero.knxnetip.ConnectionBase.send(ConnectionBase.java:268) ~[?:?]
        at tuwien.auto.calimero.knxnetip.KNXnetIPRouting.send(KNXnetIPRouting.java:214) ~[?:?]
        at tuwien.auto.calimero.link.KNXNetworkLinkIP.onSend(KNXNetworkLinkIP.java:423) ~[?:?]
        at tuwien.auto.calimero.link.AbstractLink.send(AbstractLink.java:385) ~[?:?]
        at tuwien.auto.calimero.link.KNXNetworkLinkIP.sendRequestWait(KNXNetworkLinkIP.java:402) ~[?:?]
        at tuwien.auto.calimero.mgmt.TransportLayerImpl.connect(TransportLayerImpl.java:314) ~[?:?]
        at tuwien.auto.calimero.mgmt.TransportLayerImpl.sendData(TransportLayerImpl.java:333) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementClientImpl.send(ManagementClientImpl.java:1275) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementClientImpl.send(ManagementClientImpl.java:1259) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementClientImpl.sendWait2(ManagementClientImpl.java:1295) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementClientImpl.readDeviceDesc(ManagementClientImpl.java:595) ~[?:?]
        at tuwien.auto.calimero.mgmt.ManagementProceduresImpl.isAddressOccupied(ManagementProceduresImpl.java:391) ~[?:?]
        at org.openhab.binding.knx.internal.client.AbstractKNXClient.isReachable(AbstractKNXClient.java:435) ~[?:?]
        at org.openhab.binding.knx.internal.handler.AbstractKNXThingHandler.pollDeviceStatus(AbstractKNXThingHandler.java:148) ~[?:?]
        at org.openhab.binding.knx.internal.handler.AbstractKNXThingHandler.lambda$1(AbstractKNXThingHandler.java:190) ~[?:?]
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) [?:?]
        at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:305) [?:?]
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:305) [?:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:829) [?:?]
Caused by: java.nio.channels.AsynchronousCloseException
        at java.nio.channels.spi.AbstractInterruptibleChannel.end(AbstractInterruptibleChannel.java:202) ~[?:?]
        at sun.nio.ch.DatagramChannelImpl.endWrite(DatagramChannelImpl.java:696) ~[?:?]
        at sun.nio.ch.DatagramChannelImpl.send(DatagramChannelImpl.java:536) ~[?:?]
        at tuwien.auto.calimero.knxnetip.SecureRouting.send(SecureRouting.java:166) ~[?:?]
        at tuwien.auto.calimero.knxnetip.ConnectionBase.send(ConnectionBase.java:231) ~[?:?]
        ... 20 more
10:35:17.333 [INFO ] [hab.event.ThingStatusInfoChangedEvent] - Thing 'knx:device:712968f0b8:8f2e0858e0' changed from OFFLINE (BRIDGE_OFFLINE) to OFFLINE (COMMUNICATION_ERROR): Link closed, cannot communicate (KNXLinkClosedException, link closed, connection closed)

and won’t come back ONLINE until I disable the other device.

10:36:33.737 [INFO ] [hab.event.ThingStatusInfoChangedEvent] - Thing 'knx:device:712968f0b8:8f2e0858e0' changed from OFFLINE (COMMUNICATION_ERROR): Link closed, cannot communicate (KNXLinkClosedException, link closed, connection closed) to UNINITIALIZED
10:36:33.765 [INFO ] [hab.event.ThingStatusInfoChangedEvent] - Thing 'knx:device:712968f0b8:8f2e0858e0' changed from UNINITIALIZED to UNINITIALIZED (DISABLED)
10:37:27.883 [INFO ] [nxnetip.KNX/IP đź”’ Routing 224.0.23.12] - multicast loopback mode enabled
10:37:34.392 [INFO ] [knx.internal.client.AbstractKNXClient] - Bridge knx:ip:712968f0b8 connected to KNX bus
10:37:34.394 [INFO ] [hab.event.ThingStatusInfoChangedEvent] - Thing 'knx:ip:712968f0b8' changed from OFFLINE (COMMUNICATION_ERROR): communication failure to ONLINE

Could you help me figuring out if I am doing something wrong and/or what should be my next steps to diagnose the issue?

Kind Regards,

Henri

2

localSourceAddr: 1.1.0 set to something that doesn’t exist in hour topology
portNumber: 3671 not needed

But overall i was under the impression that secure router was not finished

3

Result is the same with 0.0.0 for example

4

Please be aware that localSourceAddr must not (i.e. it’s not allowed) be set to any existing individual address of a device.
localSourceAddr is NOT the individual address of the interface nor is it an individual address of the pool (5 tunnels), it has to be an completely unused address (but of course you can setup a fake device for that address)

5

Just had a look again apparently the issue is still openhttps://github.com/openhab/openhab-addons/issues/8872

But anyway the use of Knx secure and openhab kind of defeats the purpose here because what are you trying to protect ? Do you have very sensitive data running on your bus ? Openhab is not secure by design and giving it the key make this whole thing unsecure again if the attack is to steal that information. Overall a good blocked Ethernet router without any allowed ports and just good firewall rules for your automation network goes way more than the marketing from Knx to secure your data.
I also have secure routers devices and i just disable all that crap because if the attacker is already in the network probably the automation side of thing is the last thing you need to worry about i would look more into sensitive data documents photos clips etc. Also let’s say he is inside your bus and let’s say your garage door is on the bus if safety is your concern and you don’t have a classical offline siren keypad sensor alarm system then it’s your fault for not having residency.

I am not trying to discourage the use of such features any extra layer of security is good but by giving openhab the key it defeats the purpose it’s like giving a child the key and hoping that the bad guy doesn’t look at him to read it…

6

Thank you for the information, I changed it back to 0.0.0. But as mentioned in my previous comment behavior is still exactly the same.

7

Thank you for your time and answer. I understand from the ticket you mentioned that everything is ok except data secure.

8

Yes secure part read and write is not working yet from what I can read he just implemented the connection maybe openhab 4 will have it. For now if you are not doing anything comercial just disable the secure part.

9

localIp is the IP-Address of the openHAB System, NOT the Router IP.

10

Thank you, I adapted it but the result is still the same.

11

Hi guys,

I disabled secure Tunneling in ETS and tried to configure it in router mode. I had a similar issue.
Messages were a bit more explicit I tried then to configure it in tunnel mode. Thanks to your information I could get it working.
I reenabled then secure mode in ETS and tried secure tunnel in openhab, it is now working.

Kind regards,

Henri