Mastering Modbus TCP with S7-200 SMART: Advanced Connection, Error Handling, and Data Management Techniques

Posted by on
1. How to Determine if a Modbus TCP Connection Has Been Established?


Answer: To conduct Modbus TCP communication, a connection needs to be established.


  • When the S7-200 SMART CPU acts as a Modbus TCP client: Use the mConnected parameter in the symbol table of the Modbus TCP Client instruction MBUS_CLIENT to determine the connection status, as shown in Figure 1.

    • mConnected = 1 indicates that the connection has been established.
    • mConnected = 0 indicates that the connection has not yet been established.



When the S7-200 SMART CPU acts as a Modbus TCP server: Use the mConnected parameter in the symbol table of the Modbus TCP Server instruction MBUS_SERVER to determine the connection status, as shown in Figure .


  • mConnected = 1 indicates that the connection has been established.
  • mConnected = 0 indicates that the connection has not yet been established.



Note: When there are multiple clients or multiple servers in the PLC's memory, it is not recommended to use this status point as a reference.


2. How to Check Error Codes?


Answer: When an error occurs, the Done output parameter of the MBUS_CLIENT instruction will be 1. However, Done will also be set to 1 when the connection is established, when the connection is broken, or when a response is completed.


In case of an error, the Error byte will display the error code, but only for one cycle time.


In summary, to check the error code, you can follow the method shown in Figure .


3. How to Handle Modbus TCP Communication with Register Type Data Exceeding 120 Words?


Answer: If the data volume exceeds 120 words, you can operate using the following two methods:


A. Establish multiple connections: Different connections can operate in parallel because they use different communication resources.


B. Establish one connection with multiple operations: Different operations need to be polled, with only one operation active at any given time.


4. How to Access Holding Registers with Addresses Greater than 49999 in Modbus TCP Communication?


Modbus holding register addresses typically range from 40001 to 49999, which is sufficient for most applications. However, some Modbus slave devices map data to holding registers with broader address ranges. The MBUS_CLIENT instruction allows for an extended range in the Addr parameter to support holding register addresses from 400001 to 465536. For example, to access holding register 16768, set the Addr parameter of MBUS_CLIENT to 416768. This extended addressing allows access to all 65536 possible addresses supported by the Modbus protocol. This extended addressing is only applicable to holding registers.


5. When the S7-200 SMART Acts as a Modbus TCP Client, and the Server is a Gateway Module, How to Distinguish Between Modbus RTU Slave Addresses When Connecting to Multiple Modbus RTU Devices?


Answer: When the S7-200 SMART CPU communicates as a Modbus TCP client with a Modbus TCP server and tries to access devices on a lower-level serial subnet, there might be an "unable to establish connection" error. If the Modbus TCP server is used as a gateway for the Modbus RTU protocol, the MB_UNIT_ID can be used to identify slave devices connected on the serial network. MB_UNIT_ID forwards the request to the correct Modbus RTU slave address. Some Modbus TCP devices might require the MB_UNIT_ID parameter to be within a restricted range. The location of this parameter is shown in Figure 4.


  • The default value for mModbusUnitID is 255 (16#FF). If there are multiple slave devices, you can establish a connection between the S7-200 SMART and the gateway module, then poll the UnitID by modifying its value on this connection.


6. How Does the S7-200 SMART Handle Writing a Single Bit/Word When Some Servers Do Not Support Writing a Single Discrete Output Bit (Function Code 5) or a Single Holding Register (Function Code 6)?


Answer: Some Modbus server devices do not support writing to a single discrete output bit (Modbus Function 5) or writing to a single holding register (Modbus Function 6). Instead, these devices only support multi-bit writing (Modbus Function 15) or multi-register writing (Modbus Function 16). If the server device does not support these single bit/word Modbus functions, the MBUS_CLIENT instruction will return error code 1. The Modbus client protocol allows forcing the MBUS_CLIENT instruction to use multi-bit/word Modbus functions instead of single bit/word functions. This can be done by locating the symbol mModbusForceMulti in the Modbus client symbol table and changing this value before executing the MBUS_CLIENT instruction in the program.


Setting mModbusForceMulti to TRUE will force the use of multi-bit/word functions when writing a single bit or register, as shown in Figure.