Page tree
Skip to end of metadata
Go to start of metadata

Siemens SIMATIC S7 ISO on TCP communication protocol

Supported device types and versions
Communication line configuration
Line protocol parameters
Communication station configuration
I/O tag configuration
Note on Siemens TIA Portal version 12 and above
Note on Siemens S7 1200/1500
Changes and modifications
Document revisions

Supported device types and versions

This protocol supports a data reading/writing from the control PLC machines Siemens SIMATIC:

  • types S7-300 and S7-400 equipped by an ethernet interface for the communication S7 ISO over TCP.
  • types S7-1200, S7-1500
  • types Siemens LOGO

Note: communication via Profinet/Profibus adapter ACCON-NetLink-PRO compact produced by company DELTALOGIC has been verified. Communication with multiple S-300 series PLCs on Profibus worked after firmware upgrade of adapter to version V2.54 (31. march 2015) with adapter's BIOS version V2.39 (7. June 2011). When the adapter's firmware was version V2.37 (8.august 2011), communication could not be correctly established.
Note: communication with PLC Siemens LOGO was tested. A part of memory that is accessible for reading/writing is the V area that is seen as DB1.

Communication line configuration

  • Communication line category: TCP/IP-TCP, TCP Redundant.
  • IP address (addresses) is set according to a network configuration of a specific Siemens SIMATIC device.
  • The port number is 102 (according to specification RFC 1006).
  • The line number is not used, set on 1.

When the communication line is set as TCP Redundant you can configure an IP address and port of a backup device. If a communication process lost the connection or is unable to connect to the device, it will switch periodically between the configured devices. KOM process tries to connect to a primary device at first.
Note: Multiple IP addresses of primary/backup device can also be configured (separated by commas or semicolons).

Line protocol parameters

A dialog window of communication line configuration - Protocol parameters tab.
They influence some optional protocol parameters.

The following line protocol parameters are defined:

ParameterMeaningUnit / sizeDefault value
Siemens Simatic rack number.0 to 70
Siemens Simatic slot number.0 to 310
Connection Resource (hex)
Connection resource, it enters as MSB byte to the calculation of the value of Remote TSAP at initialization of ISO Connection-request.
See the description of parameter Use long TSAP.
0x0 to 0xFF3
Local TSAP (hex)
ISO Local TSAP (Transport Service Local Point).  Source TSAP value during the initialization of ISO Connection-request.
See the description of parameter Use long TSAP.
0x0 to 0xFFFF0x1000
Source Reference
ISO Source Reference. Value of SRC-REF during the initialization of ISO Connection-request.0 to 655351
Use long TSAP
Enables a long format of local and remote TSAP which is sent during the connection setup phase.
Short TSAP is 2 bytes long.
Short local TSAP has the following format:Short remote TSAP has the following format:Long local TSAP is 28 bytes long. Last 2 bytes are higher and lower byte of parameter Local TSAP
Full remote TSAP is 28 bytes long and it contains:
MPI/Profibus Address
MPI/Profibus address sent as a part of Remote TSAP, if parameter Use long TSAP is set to True0 to 1261
S7 Subnet ID-part 1 (hex)
S7 subnet address sent as a part of Remote TSAP, if parameter Use long TSAP is set to True0x0 to 0xFFFF0
S7 Subnet ID-part 2 (hex)
S7 subnet address sent as a part of Remote TSAP, if parameter Use long TSAP is set to True0x0 to 0xFFFF0
ISO TPDU Size Variable Parameter
The maximum required size of ISO TPDU. The parameter value the initialization of ISO Connection-request.8192, 4096, 2048, 1024, 512, 256 or 128 bytes1024 bytes
Nr. of Parallel Network Threads
Maximum parallel communication threads. Increase the value if there is a request on more data read from the device in a shorter time.1 to 41
Cycle Time
The required time of one data reading cycle.ms1000 ms
Message Timeout
Maximal wait time on a reply from the device.ms2500 ms
Inter Message Delay
Delay which is used before sending a data request. When a high data transfer rate is required, set 0 ms.sec.ms20 ms
Reconnect Delay
Delay before reconnection to the device if the connection has failed or some communication error has occurred.sec.ms2 sec
Connection Error Timeout
When Timeout passes and communication error occurs in all threads, a communication error status is set on the stations. FALSE state is set on the communication line.sec.ms20 sec

S7 PDU Size

Maximum PDU in bytes at S7 communication with the device.240, 480, 960 bytes480 bytes

Tcp No Delay

Setting Tcp No Delay parameter causes low-level socket option TCP_NODELAY to be set, thus turning off the default packet coalesce feature.-False
Debug Values
Activates a debug info about the loaded values of I/O tags. Use this parameter only when communication must be debugged because it highly uses CPU and slows down the communication.YES/NONO
Debug I/O Binary Packets Info
Activates a debug info about a binary content of packets. Use this parameter only when communication must be debugged because it highly uses CPU and slows down the communication.YES/NONO
Debug Requests Info
Activates a basic debug info about requested data.YES/NOYES
Debug Answers Info
Activates a basic debug info about received packets.YES/NOYES

Communication station configuration

  • Communication protocol: Siemens SIMATIC S7 ISO over TCP.
  • No station address, no protocol parameters on the station.
  • The time parameter setting is ignored. See the line parameter Cycle Time.
  • Time synchronization of device is not supported.

I/O tag configuration

Possible I/O tag types: Ai, Ao, Ci, Co, Di, Dout, TiA, ToA, TiR, ToR, TxtI.

I/O tag address is compatible with Siemens SimaticNET OPC server.

I/O tag address is a character string according to the following:


or for structured I/O tags with configured Destination column

{;}{S7:[connectionname]}DB<no>,<type><address>{, <items>}
{;}{S7:[connectionname]}DI<no>,<type><address>{, <items>}
{;}{S7:[connectionname]}<object>{<type>}<address>{, <items>}


;Optional parameter. It disables the I/O tag from communication, stops I/O tag address check when it is saved and can be useful when the communication with the device is activated or debugged.
S7:[connectionname]Optional parameter. It does not contain any useful information but it is supported only because of backward compatibility with Siemens SimaticNET OPC server.
DBData block. S7 variable identifier from "Data block".
DIInstance data block. S7 variable identifier from " Instance data block".
<no>A number of "data block" or "instance data block".
Specification of block or area in S7 PLC.

Possible values:


Description (German name)
IInput (Eingang, E)
QOutput (Ausgang, A)
PIPeripheral Input ( Peripherie Eingang, PE)
PQPeripheral Output ( Peripherie Ausgang, PA)
MMemory bit (F)
CCounter (Zähler, Z) - BCD coded integer numbers <0-999>
TTimer (Timer, T) - BCD coded time values from intervals <0.00-9.99>, <00.0-99.9>, <000-999>, <0000-9.9990>
System Status Lists (System-ZustandsListen, SZL) - lists with diagnostic information that are available on CPU family S7-300 and S7-400. Diagnostic information differs for various classes of PLC and details are described in manuals (e.g. System Software for S7-300/400 System and Standard Functions, Volume 1/2)
Note: I/O tag S must be of TxtI type.

Data type of S7. It is not specified for T, C and S objects.

Identifier <type>Description
XBit (boolean). Specify a bit number 0 to 7 - e.g. DB9,X8.3
BByte (8 bits unsigned).
WWord (16 bits unsigned).
DDouble word (32 bits unsigned).
CHARCharacter (8 bits signed).
INTInteger (16 bits signed).
DINTDouble integer (32 bits signed).
REALFloating point number (32 bits according to IEEE754 standard).
LREALLong floating point number (64 bits according to IEEE754 standard).
STRINGString. Specify maximal length of string.
CHARARRArray of CHARs interpreted as a string. Array length must be specified.
DTDate and Time, 8 bytes in BCD format.
TIMETime (32 bits signed) in ms.
TODTime of day (32 bits unsigned) in ms.

Note: The CHARARR type is a D2000 extension that allows you to read/write an array of CHARs as a string. This type is not compatible with the Siemens SimaticNET OPC server addressing.
The difference between CHARARR and STRING is as follows:

  • STRING - standard format of the S7 string, when there are 2 bytes in front of the string itself (maximum and current string length). For example, a 10-character STRING takes up 12 bytes.
  • CHARARR - array of characters, without a 2-byte header. For example, CHARARR with a length of 10 characters takes up 10 bytes.
<address>Address of variable. Possible types:
  • Byte offset (offset within a block, a number 0-65535)
  • Byte offset.bit (only for X data type, bit number in the range of 0 to 7)
  • Byte offset.String length (only for STRING data type, string length from 1 to 254 characters)
  • Id.Index[.StringOffset[.StringLength]] - only for object S (system status list):
    • Id and Index are 16-bit numbers in range 0-65535 defining ID of specific system status list and index of item in this list
    • StringOffset and StringLength are byte offset (0..65535) and length (1..65535) of substring in answer, which will be parsed as a value of I/O tag.
    Example: address S237.1.10.20 represents status list 237 (0x0111), index 1 (Identification of the module). S7-300 will answer to this request by a 36 byte-long string (bytes 0..35) in which bytes 10..29 (i.e. offset=10, length=20) represent "Order number of the module", e.g. '6GK7 342-5DA02-0XE0 '.
Example of addresses:
  • DB10,W35
  • DB8,X10.0
  • DB1,REAL12
  • DB5,STRING5.14
  • DB5,CHARARR5.14
  • T20
  • C7
  • MB11
  • MDINT30
  • QX3.7
<items>number of elements for structured I/O tags with configured Destination column. Every read element (1,2,3 .. items) will be written to one item of destination column.
Structured I/O tags are not supported for objects of type T (timers), C (counters) and S (system status lists) nor for data type STRING.
Note: All items elements are read at once. If e.g. 100 elements of type D (double word) are configured, it means reading of a block of 400 bytes. If a smaller size of packet (S7 PDU size) is agreed on during establishment of connection, reading of this I/O tag will not be performed and trace file of line will contain an error message. Agreed S7 PDU size is minimum of size offered by D2000 (parameter S7 PDU Size) and supported size of specific device.
Note: syntax of address when specifying number of elements is compatible with Siemens S7 OPC server (e.g. S7:[MyPLC]DB120,INT1050, 24), which facilitates simple transition from OPC communication to Siemens SIMATIC S7 ISO on TCP protokol by configuring a new line, a new station and then changing parent of I/O tags (e.g. via CSV or XML export and import).

Example of addresses:
  • DB10,W35, 20     a block of 20 words will be read (i.e. 40 bytes) from addresses 35-54
  • DB8,X10.0, 100     a block of 100 bits will be read (i.e. 13 bytes) from addresses 10-22

Note on Siemens TIA Portal version 12 and above

There have been reported cases when a communication with a device (specifically, Simatic S7-1200) was established, but after sending a read request the device didn't send required data but a packet with ResultCode = 0x8104, that is 33028 decimal.
According to the problem is insufficient access rights. The cause is a new security option that was added to TIA Portal 12 and higher that by default disallows remote access to read/update blocks. Without this option disabled, only Siemens tools have access to the data.
Configuration: in TIA, under the properties for the CPU project, select "Protection"; there is an option for "Permit access with PUT/GET communications from remote partner" and set also "Access level" according to the following screenshot.

In case of TIA Portal version 14 the setting "Permit access with PUT/GET communications from remote partner" is on a dedicated tab "Connection mechanisms" under "Protection & Security":

Note on Siemens S7 1200/1500

For the communication with these devices to work, beside settings described in note above, it is necessery to disable "Optimized block access" in TIA Portal tool. Following screenshot is taken in TIA Portal version 12:

After changing the security settings in TIA Portal, it is necessary to go to menu Compile → "Software (Rebuild all)" and after compiling to uploat the project to PLC. Partial rebuild may not be sufficient.


  • RFC 1006, "ISO Transport Service on top of the TCP, Version: 3", May 1987.
  • International Standard ISO/IEC 8073:1997, "Information technology - Open Systems Interconnection - Protocol for providing the connection-mode transport service."
  • International Standard ISO/IEC 8072:1996, "Information technology - Open Systems Interconnection - Transport service definition."

Changes and modifications


Document revisions

  • Ver. 1.0 - September 17, 2010 - Document written.
  • Ver. 1.1 - July 2, 2020 - Support for CHARARR.
Write a comment…