FAQ

Did you try a connection via HTTPS? For security reasons, the HTTP connection was deactivated in default settings with version 4.4 of the firmware (Release Notes). Your device should be accessible via an HTTPS connection.
See also Secured Access to the User Interface of the Router.

If a ping returns this error message during debugging, the router's firewall is probably blocking the ICMP packets.
Add a new firewall rule on the Network → Firewall / NAT page with the following settings:

• Packet direction: OUTPUT

• IP version: Alle

• Protocol: ICMP

• Output interface: select the required interface

Click in the new user interface on the Status → Support Packet page on CREATE SUPPORT PACKET .

Click in the new user interface on the Help → Support page on Create new support packet.

If you've configured your device using the setup wizard and no firewall rules or other settings are missing, then make sure you entered the proper Access Point Name under Interfaces/LTE.
For some providers, such as Telekom, it is very important to have a proper APN entry, otherwise they will block your Internet connection.

As of Version 7.8 of the icom OS we do not support this mode yet, nor is it planned at the moment to implement this feature.

The blinking gear indicates that the profile opened in the router differs from the profile running in the router. A click on the gear or ACTIVATE PROFILE button activates the opened profile, i.e. it becomes the running profile. See Profiles for detailed information.

Port 1 of the card in slot 1 (leftmost) is assigned to IP net 1 (configuration network) in default settings (for routers with 5-port switch; for routers with 2-port switch, port ETH1 is assigned to IP net 1). This local network has the static IP address 192.168.1.1. It is intended for accessing the router from a configuration PC. The firewall rules for HTTP (port 80) and HTTPS (port 443) access are also entered for this in default settings.

It is recommended to use IP nets 2 and above as well as the other ports for the application to still enable local configuration access to the router. If the application’s requirements or other circumstances do not allow this, port 1 can also be configured accordingly like ports 2-5. It should be ensured that router access in case of an emergency is still possible using other means.

The internal clock of the router should always be set correctly to ensure that time-controlled events are processed precisely to the desired time, system messages are dated correctly and certificates are within their validity period. A regular synchronisation with an NTP (Network Time Protocol) server is recommended for this. This can be achieved using the action Synchronise clock via NTP. The action will be triggered by a regular event, such as the expiration of a timer or the condition change of an interface.

The startup wizard makes all necessary settings that the time is always synchronised when the respective WAN chain went online. A manual configuration is described here.

The router allows a very complex configuration to cover almost all application cases custom-made. This can cause a complex troubleshooting – in particular for configurations made by third parties.

A comfortable troubleshooting option is provided by the plausibility check. It mainly serves for detecting obvious configuration gaps. It cannot expose all configuration failures of the function. This applies especially to IP filters and NAT rules.

If a required WAN chain is not configured/started/active, the function based on it is not available. The status of the WAN chains is displayed on the Status → Dashboard page.

If connections cannot be established, this may be caused by missing or wrong IP filter rules (firewall). This can be located by deactivating the IP filters temporarily on the Network → Firewall / NAT page.

In contrast to a local network (LAN), a WAN connection will not be started immediately. A WAN connection will then be established, if a WAN chain, which contains the respective WAN interface, is started. The status of the existing WAN chain is displayed on the Status → Dashboard page.
The following prerequisites must be met for a functional WAN connection:

• In case of an Ethernet connection, the respective IP net must be activated ( Network → Interfaces → IP networks)

• In case of a cellular connection, the respective modem interface must be configured correctly ( Network → Interfaces → LTE)

• The WAN interface must be contained in a WAN chain ( Network → WAN / Internet)

• If the WAN chain contains more than one interface, all must be functional that the WAN chain can be started

• If more than one WAN chain exists, sequential order and WAN chain to be started in case of failure are decisive

It can be useful due to reasons of security to block an IP version (IPv4 or IPv6) for data traffic completely. Proceed as follows for this:

• Activate the IP filters (firewall) of the IP version to be blocked ( Network → Interfaces → Firewall / NAT)

• Modify all IP filter rules such that they only permit the desired IP version

In order to dispatch a message via e-mail within an action, it is necessary to configure the e-mail account in the router and add appropriate netfilter rules. Refer to this Configuration Guide to find ot how to do this.

If a container cannot be accessed via its IP address, it is recommended to check the following settings:

• On the Container → Container page in the Container section:

  • Is the container present and active?

  • Does the container have a configuration?

  • Does the container require a license for being accessed?

• Editing the configuration of the container on the Container → Container page ( ):

  • Does the container have a bridge into the correct IP net?

  • Is the container configured for the correct IP address?

  • Does the container require a certain user group for being functional?

• Are the IP filters activated on the Network → Firewall / NAT page? If yes, these may be deactivated temporarily for troubleshooting. If the container can then be accessed, an IP filter rule is missing that permits to access the container.

Yes, this is possible.
Just keep in mind that if the other device is lacking a feature, for example DSL or LTE, those settings will be skipped over during the import.

See this Configuration Guide or this YouTube tutorial video:

This is due to the fact that you are trying to access an entry that does not exist.
Each entry, for example a netfilter rule, has its own index number.
In this case, you are trying to access the 6th element of the list but only 5 elements exist.

• Either try to correct the index of the entry appearing in the square brackets, e.g. [5] -> [6]

• or add the correct number of elements to your ASCII file, e.g. with “netfilter.ip_filter.rule.add”

This generally means a DNS error, however a routing conflict can lead to this as well:

• Is the OpenVPN server online and reachable over its domain name? Ask your provider or network administrator.

• Make sure your INSYS router’s DNS settings are correct and it is allowed to make DNS requests.

• Have you configured 2 or more interfaces in the same IP range? Even if net2 and net3 are in the same IP range, the OpenVPN connection will not work, and you’ll receive this error message.

icom OS supports port forwarding. Create a port forwarding rule as outlined below:

• Add under Network → Firewall / NAT a new Destination NAT rule.

• Configure as Type Portforward, your desired Protocol, the Input interface und last your desired IP address and Port number.

• If your firewall is active, add under Network → Firewall / NAT a new IP filter rule and select FORWARD as Packet direction and the Protocol, configure your Input and Output interface. It is very important here to set your Destination port and enter the IP address with a Subnet mask of /32.

A comprehensive configuration example can be found in this Configuration Guide.

icom OS supports IP forwarding/1-to-1 NAT. A comprehensive configuration example can be found in this Configuration Guide.

There is no command reference, but the command can easily be found out as described here. See also this YouTube tutorial:

See this Configuration Guide.

Click in the new user interface on the Administration → Debugging page on OPEN DEBUG TOOLS , select the Tool AT command, enter the Parameter AT+CPIN="PUK","NEW PIN" (e.g. AT+CPIN="12345678","0000"), select the LTE interface and click on SEND.

You will find the AT command tool in the classic user interface under Help → Debugging.

The Auto-Update Server operated by INSYS icom has been shut off and will not update your router any more. Refer to this note for more information and how to continue to provide your router with the latest updates.

The PKCS12 file could have been created with PBE-SHA1-RC-40, PBE-SHA1-3DES or other encryption algorithms, which are classified as insecure on our devices from firmware version 7.3 and onwards.
https://icom-os.releasenotes.io/release/NuQrd-icom-os-73

Try one of the following solutions:

1. Export your PKCS12 file and use a more secure algorithm, such as AES-256

2. If possible, export the individual files (CA, certificate and key)

At the moment INSYS icom routers do not support WireGuard out-of-the-box.
However, it is available in our Net Tools container.

When using our industrial routers for connecting to fiber optic networks, MRX Fiber or MRX with MRcard Fiber, a careful selection of the SFP transceiver used is crucial for the performance of the router and a stable connection.

When selecting the SFP transceiver, pay attention not only to the required specifications but also to the heat development during operation. Some SFP transceivers heat up very strongly during operation, age prematurely as a result and are not recommended for industrial use over several years.

Programmable universal transceivers are particularly suitable for flexible use.

Based on customer experience, transceivers from Flexoptix are particularly suitable.

This usually means that your device's date set incorrectly. Your certificate is literally not valid yet, as your device is in the past. You can set the correct date and time under Administration/Time.

This behaviour is caused by the TIA Portal of Siemens, who is also responsible for support in this case.
INSYS has no influence over this behaviour.
Try deactivating the option SIMATIC Industrial Ethernet (ISO) for the OpenVPN Virtual Ethernet Adapter under your PC’s network connection settings.

We do not support this mode, nor is it planned at the moment to implement this feature.

Yes, that is possible.
Please contact our colleagues in the Customer Service Center at support@insys-icom.de to do the necessary changes to your account.

You have to manually assign the license to the device by clicking on the pencil symbol and selecting an available license.

The guaranteed availability is specified in the Service Level Agreement (see Product Description) and notably higher than the availability specified in the General terms and conditions for the use of Online Services which also contain the exceptions for services in China.

After 2025-06-30, INSYS icom no longer supports the connectivity of devices registered in the icom Connectivity Suite – VPN with OpenVPN client versions before version OpenVPN 2.4.

After 2026-06-30, INSYS icom no longer supports the connectivity of devices registered in the icom Connectivity Suite – VPN with OpenVPN clients using an OpenSSL version before OpenSSL 1.1.1.

Which devices are affected?

• INSYS routers with icom OS up to version 2.9

• INSYS routers with INSYS OS up to version 2.12.19

• Third-party devices with an OpenVPN client up to version 2.3

How do I find out the firmware version?

For routers with icom OS, you can find the firmware version in the dashboard or device info:

For routers with INSYS OS, you can find the firmware version in the System → System data menu:

For third-party devices, you can find the OpenVPN version in the OpenVPN client used:

How do I update the devices?

Important check BEFORE update - is the VPN certificate on the device outdated?

The devices registered in the icom Connectivity Suite - VPN will regularly be provided with new certificates. However, if a device has not been provided with a new icom Connectivity Suite - VPN certificate since the beginning of 2024, it may still have a certificate that was issued using the outdated SHA1 method, which is no longer supported. If such a device will be updated, it will no longer be able to connect to the icom Connectivity Suite - VPN!
You can see whether a device has not been provided with a new certificate for a long time if the list of issued certificates in the VPN settings field on the device details page in the icom Connectivity Suite - VPN is longer and the active certificate has an older issue date. In the following example, the still active certificate 122 was already issued in 2022 and further certificates have been issued for the device since then, but not used by the device.

Possible reasons:

• A router was powered off for a long time or not connected to the Internet → switch it on again and wait until it has connected

• Serial number not correct → compare serial number in the router and portal of the icom Connectivity Suite - VPN and adapt

• The automatic update function of the router has been deactivated → reactivate and start an update

• A third-party device was no longer supplied with a new OpenVPN configuration file → download the OpenVPN configuration file and copy it to the corresponding directory of the OpenVPN client

Goal:

You can identify an update of the VPN certificates on the device by the reduction in the list of issued certificates.

Download the latest firmware for INSYS routers with icom OS or INSYS OS and update your router.

For routers with icom OS, upload the firmware in the Administration → Firmware menu in the Import firmware section.

For routers with INSYS OS, update the firmware as instructed in the enclosed PDF file.

On third-party devices, update the OpenVPN client according to the instructions of the OpenVPN client used.

No, it’s not possible. These firmware versions are incompatible with each other.

If your device has a firmware version of 1.x.x the update cannot be carried out!
In the event of large version jumps, incremental updates are first necessary. These updates are available here:

• If your device has a previous firmware version of at least 2.0.0 but before 2.2.0, an intermediate update step to 2.2.1, and then an intermediate update step to 2.6.2 must be performed before.

• If your device has a previous firmware version of at least 2.2.0 but before 2.6.0, an intermediate update step to 2.6.2 must be performed before.

Some e-mail service providers don’t support TLS versions 1.0 and 1.1 anymore. Please update your device to the lates firmware, in which we implemented TLS versions 1.2 and 1.3.
The latest firmware is found under the following link:
Insys OS Firmware

No, this is not possible. The two operating systems are incompatible with each other.
You have 2 options:

1. You manually configure your icom OS device following the settings in your INSYS OS device.

2. Our Customer Service Center manually converts your INSYS OS profile to an icom OS profile, as an Extended Support service. Please contact our team at +49 941 58692 661, or per e-mail at support@insys-icom.de.

For more information about our Extended Support services visit:
https://www.insys-icom.com/en/support/technical-support/extended-support/

With the INSYS OS, the cellular interface cannot be used while the LAN(ext) port is in "DHCP" or "static" mode. Please either turn the port off, or set it to "bridging" mode.

This is not possible with INSYS OS devices.
Our new icom OS devices, such as the MRX, MRO, ECR, SCR and MIRO are capable of simultaneously running multiple OpenVPN and even IPSec tunnels.
Test our icom OS devices free of charge:
https://www.insys-icom.com/en/products/router-gateways/

You can create a support packet under System/Download/Create new support packet at the bottom of the page.

Under the menu GSM/GPRS, UMTS, or WWAN under Terminal type in your PUK and your new PIN number in the following format:
AT+CPIN="PUK","NEW PIN"

So for example:
AT+CPIN="12345678","0000"

We have not set an arbitrary limit. Theoretically you can register as many data points as you wish.
This does not mean however that you will be able to simultaneously use thousands of data points.
The maximum simultaneously usable data points strongly depends on how often the points are polled, and how large of a data traffic they produce.

Please visit the following link for a written manual:
Installing the icom Data Suite Container
or the following link for a YouTube Tutorial video: