What happens if the uplink to the management server is down?

The site keeps working. ICM-GE performs local encrypted validation — the user database, permissions and time windows live on the master, not in the cloud. An offline master continues to authorise users it already knows. New users added in the management server during the outage will not appear at the master until uplink is restored, and the event log buffers locally and replays to the server on reconnect. This local-first design is the entire point of having a master at the site instead of a thin reader talking directly to the cloud.

What does "local encrypted validation" actually do?

Two things. First, validation is local — the credential is checked against a database held on the master, not in the cloud, so the authorisation decision is made in milliseconds even when the WAN is congested or down. Second, validation is encrypted — credentials travel from readers to the master inside the encrypted AXON protocol on the RS-485 bus, so a tap on the bus does not yield reusable credentials. The combination is what lets ICM-GE be deployed in enterprise sites where uptime and credential confidentiality both matter.

What power does ICM-GE require?

12 V DC or 24 V DC, drawing 4 to 8 W depending on uplink activity (GSM transmissions briefly increase the current draw). The 24 V option is convenient on sites where door strikes already run on 24 V — it lets the master share the building's existing rail. Provide enough margin in the supply for inrush during boot and for the brief peaks when GSM is transmitting; budget a 15 W supply per master as a comfortable headroom number.

Can ICM-GE handle elevator cabin access too?

ICM-GE is specifically the master for non-cabin access points — doors, ramps, floors (landing readers outside the cabin), garages. Elevator cabin access is handled by the AXON CCU-32 cabin master, which understands the constraints of the moving cabin: traveling cable bandwidth, cabin-side relays for floor selection, and integration with the elevator controller. A typical mid-rise building uses an ICM-GE for landings and an entirely separate CCU-32 for cabin floor selection, both reporting to the same management server.

Is ICM-GE available today?

Yes. ICM-GE is in stock as the in-production infrastructure master for AXON installations. Lead time for standard configurations from local stock is typically one to two weeks. Hybrid Ethernet+GSM units are configured at the factory with the carrier SIM of choice (Vala, IPKO or other). For sites that need on-site commissioning support — bus segmentation, node provisioning, integration with an existing building management system — we provide a guided commissioning service.

AXON ICM-GE — Infrastructure Master with Ethernet, GSM and RS-485 BUS

Name: AXON ICM-GE
Brand: AXON
SKU: ICM-GE
Availability: InStock

The master controller for non-cabin access points in commercial and residential buildings — doors, ramps, floors, garages. Hybrid Ethernet + GSM uplink, RS-485 BUS to nodes, up to 120 access points per PCB, with local encrypted validation that keeps the site working when the internet does not.

Role: Infrastructure master Uplink: Ethernet + GSM Nodes: RS-485 BUS Capacity: up to 120 APs Local-first validation 12–24 V DC, 4–8 W In stock

AXON ICM-GE is the infrastructure master for access points outside elevator cabins — building entrances, internal doors, vehicle ramps, garage gates and non-cabin floors. It connects to the management server through a hybrid Ethernet + GSM uplink, drives up to 120 access points through an RS-485 BUS to nodes, and makes authorisation decisions locally so the site keeps working during internet outages.

01 — What ICM-GE Does in the System

AXON ICM-GE is the master controller for the building-side half of the AXON access architecture: every access point that is not inside an elevator cabin. That covers the main entrance, internal doors, garage gates, vehicle ramps, and any landing-level reader that does not need to coordinate with a moving cabin. Functionally it is the brain of the site: it holds the user database, the per-door permission policy, the time windows, the lockdown state and the event log.

Architecturally the master sits between two networks. Above it is the building or campus uplink — Ethernet, GSM, or both — that connects to the AXON management server where administrators manage users and pull reports. Below it is the RS-485 BUS that connects every node and reader on the site. The master decides; the nodes execute. This separation is deliberate: a node failure stops one access point, a master failure stops a building, and we want the recovery story to match that operational priority.

What distinguishes ICM-GE from cloud-only access controllers is local-first validation. The master holds an authoritative copy of the user database and authorises requests on its own, without making a round trip to the server. The server is the source of truth for management — adding users, changing policies, reading reports — but the access decision happens on-site. When a building's internet goes down on a Tuesday afternoon, the doors keep working for residents and staff who were on the master's roster as of the last sync.

ICM-GE is the right master for in-building deployments where structured cabling or a usable mobile signal is present. For multi-building campuses, parking lots and fragmented sites where running cable between buildings is impractical, AXON offers the ICM-LR variant with a LoRa uplink instead.

02 — Required Components

A typical ICM-GE installation includes:

Part	Role	Notes
AXON ICM-GE PCB	Master controller	One per building or per logical site. Up to 120 access points.
Ethernet RJ-45 link	Primary uplink	10/100 Mbps to the building switch or router.
GSM SIM (Vala / IPKO / etc.)	Backup uplink	Carrier of choice; data plan sized for heartbeats and incident bursts.
RS-485 BUS cable plant	Node bus	One or more dedicated twisted-pair segments to all nodes.
AXON URX-Secure readers	Encrypted readers	Door and gate credential capture.
AXON W2R-N converters	Legacy bridge	Brings existing Wiegand readers onto the RS-485 BUS.
Door / ramp / garage relays	Physical outputs	Driven from the master or paired I/O nodes on each access point.
12 V or 24 V DC power supply	Master and bus power	4–8 W for the master, plus reader/relay loads on the same rail.
DIN-rail enclosure	Installation	The master is intended for a service-room cabinet, not a public area.

Why these specific parts

The hybrid Ethernet + GSM uplink is the most opinionated part of the BOM and the part that distinguishes ICM-GE from a generic access controller. We chose it because field experience says single-uplink access controllers fail visibly during the kinds of outages real buildings actually have — ISP changes, router resets, fibre cuts during road work. RS-485 was kept as the node bus rather than Ethernet-to-every-door because it is dramatically cheaper to pull, tolerates electrical noise common in service risers, and runs hundreds of metres on a single twisted pair. The master's own current draw (4–8 W) is small enough to share a supply with one or two doors without a separate rail.

03 — How ICM-GE Works End-to-End

A typical authorisation event flows through ICM-GE as follows:

Credential capture. A user presents an RFID card to a URX-Secure reader (or a legacy Wiegand reader fronted by a W2R-N) at a door or gate.
Encrypted bus exchange. The reader sends the credential to the master over the RS-485 BUS in encrypted form, with the reader address and an anti-replay counter.
Local lookup. The master decrypts the credential, looks up the user in its local database, checks the policy for the originating access point (time window, lockdown state, ad-hoc permissions) and forms an authorisation decision.
Output action. If granted, the master energises the appropriate output — door strike, ramp solenoid, garage gate driver — for the configured pulse duration.
Reader feedback. The master sends an acknowledgement back to the reader over the RS-485 BUS, which triggers the appropriate LED/buzzer pattern at the access point.
Event log. The master appends the event to its local advanced log: who, where, when, granted or denied, and the reason code.
Server sync. When the uplink is available, the master pushes log batches to the management server over Ethernet (preferred) or GSM (fallback) and pulls any pending configuration updates.

Steps 1 through 6 happen entirely on-site and do not require any uplink. Step 7 is asynchronous: an offline master keeps validating users from its local roster and queues events for later sync. This is the architectural reason ICM-GE is appropriate for enterprise sites — the operational behaviour is decoupled from internet availability.

04 — Communication Architecture: Ethernet, GSM and RS-485 BUS

Ethernet 10/100 — primary uplink

The Ethernet 10/100 Mbps (IEEE 802.3) interface is the master's preferred path to the management server. 10/100 Mbps is sufficient for any realistic access-control traffic: even an active site with several thousand events a day represents a few hundred kilobytes of log data per day, plus periodic config syncs. Ethernet is also the path used for bulk operations such as firmware downloads (OTA) and full log exports. Use a dedicated Ethernet drop from the building switch where possible, or a managed VLAN that isolates the access controller from general office traffic.

GSM — backup uplink (Vala, IPKO, others)

The GSM/cellular modem (3GPP standards) is the failover path. It activates automatically when Ethernet is unreachable for a configurable threshold — for example, three consecutive heartbeat failures over thirty seconds. While on GSM, the master throttles bandwidth-heavy operations (firmware updates, bulk log sync) to conserve carrier data and keep the link available for authorisation events and alerts. Both major Kosovo carriers (Vala and IPKO) are supported; the unit ships with a SIM slot accessible without dismantling the cabinet so the carrier can be swapped during operation.

RS-485 BUS — the node side

Below the master, every reader and node connects on the RS-485 BUS (TIA-485-A). The BUS is a multi-drop linear bus addressed at the protocol layer, so a single twisted pair leaving the master can carry traffic for many access points. The encrypted AXON protocol runs on top of RS-485, so the bus is not vulnerable to the cleartext credential capture that plagues legacy Wiegand cabling. Large sites are segmented into multiple RS-485 busses, each terminated correctly and addressed within the same master, to keep per-segment traffic and length within design limits.

Why local-first instead of cloud-first

Cloud-first access control has one big advantage (no on-site controller to maintain) and several big problems (latency on every authorisation, complete outage when the internet is down, credential confidentiality on every API hop). For a 50-flat residential building in Prishtinë, an outage where residents cannot get in at 23:00 on a Sunday is a serious problem the building manager will hear about. ICM-GE puts the decision on-site so an outage degrades visibility, not operations.

05 — Interface Layout

Interface	Function	Notes
RJ-45 Ethernet	Primary uplink	10/100 Mbps; supports DHCP or static IP.
GSM antenna SMA	Backup uplink	External antenna for placement outside the cabinet.
RS-485 BUS terminals	Node bus	A / B / GND, one or more segments depending on configuration.
Power input	12 V or 24 V DC	Polarity-protected, with an inline fuse on the bus.
Status LEDs	Diagnostics	Power, link, GSM signal, bus activity.
Service USB / debug port	Commissioning	Used for initial provisioning and on-site diagnostics.

06 — Security and Robustness

ICM-GE's security model has several layers, designed so that compromising one does not compromise the system:

Encrypted bus to nodes. Credentials never traverse the RS-485 BUS in cleartext. The AXON protocol uses encryption with anti-replay counters end-to-end between reader and master.
Encrypted uplink to server. Both Ethernet and GSM uplinks use TLS to the management server; an attacker on the LAN does not see credential or log data.
Local-first validation. Authorisation decisions do not depend on the cloud being reachable. This is a robustness property as well as a security property: it eliminates a class of denial-of-service attack against the uplink.
Signed OTA firmware. The master verifies firmware signatures before applying an update, following platform-firmware resiliency principles in NIST SP 800-193; an attacker who reaches the management server cannot easily push malicious firmware without the signing key.
Watchdog and bus recovery. The master resets cleanly if its main loop hangs, and the bus driver recovers from accumulated electrical errors without manual intervention.
Bounded local log buffer. Even with the uplink down for days, the master retains a rolling local log of events so post-mortem investigation is possible.

07 — Real-World Deployment Scenarios

Multi-entrance residential complex in Prishtinë

A 90-flat residential complex with three building entrances, an underground garage gate, and a vehicle ramp uses one ICM-GE in the basement service room. URX-Secure readers (IP65) sit at the three entrances and the garage; W2R-N converters bring two existing Wiegand readers at the ramp onto the same RS-485 BUS. Residents use DESFire fobs; the management app gives the building manager add/remove control with an audit log per resident. Ethernet is connected to the building's fibre router; GSM (IPKO) is on standby. Total access points: 6, well within the 120 ceiling, leaving headroom for staff cards and visitor codes.

Multi-tenant office in Tiranë

A six-floor office building with eight tenant suites and a shared lobby installs one ICM-GE for the building-common areas and a per-tenant policy partition inside the master. The lobby door, fire-stair doors and rooftop access door run as building-common access points; each tenant suite door is a tenant-specific access point with its own user roster. The hybrid uplink lets the property manager push policy updates from a centralised console even when one tenant's office Ethernet is undergoing maintenance.

Regional hospital with controlled wings in Pejë

A regional hospital uses ICM-GE for non-elevator access — ward doors, medication rooms, IT closets, plant rooms. Different cards have different ward and time-window permissions, all enforced locally on the master. The advanced logging captures every access event for compliance and post-incident review. The GSM uplink is operationally important here: when the hospital's WAN goes down (which it does, periodically), authorisation continues and the event log buffers, so there is no security gap in the audit trail.

Mixed-use hotel in Prishtinë

A boutique hotel uses ICM-GE for back-of-house and service doors (housekeeping rooms, plant, rooftop), with time-windowed credentials per role. The Ethernet path syncs with the hotel's property management system so contractor cards expire automatically at the end of their scheduled work. Guest doors stay on the hotel's in-room locks; ICM-GE handles only the doors where centralised, time-bound, auditable access is operationally useful.

08 — Installation Requirements

Mounting: DIN-rail in a service-room cabinet. Public-facing installation is not appropriate — the master is the keys-to-the-kingdom.
Power: 12 V or 24 V DC, 4–8 W for the master plus per-reader and per-relay loads on the same rail. Budget a 15 W supply per master as comfortable headroom; oversize for sites with many relays on the same rail.
Ethernet: dedicated drop or a managed VLAN. Static IP is preferred for predictable diagnostics; DHCP is acceptable on stable networks.
GSM antenna: route the antenna outside the metal cabinet; a poorly placed antenna inside a steel enclosure halves usable signal.
RS-485 BUS: shielded twisted pair per segment, terminated 120 Ω at both physical ends only. Test with all devices off — you should read approximately 60 Ω across A/B.
Earthing: tie the bus shield to chassis ground at the master end only, never at both ends — double-ended bonding causes ground loops at this frequency.
Commissioning: provision each node's address and key against the master before installation where possible.

09 — Recommended Topology

The recommended topology for ICM-GE-based sites:

Single master per building, sized to the access point count (under the 120 per-PCB ceiling).
One RS-485 segment per logical zone: lobby/entrance segment, garage segment, internal-doors segment. Segmenting by zone simplifies fault isolation and keeps a single bad cable from taking down the whole building.
Linear bus, short stubs: each node taps off the segment via a stub of 30 cm or less. Terminate 120 Ω at both physical ends of each segment only.
Power per zone: a local supply at each zone often beats one giant supply in the basement, because cable losses on long 12 V runs eat into reader headroom.
Hybrid uplink active: configure both Ethernet and GSM; keep Ethernet as primary, GSM as automatic backup.

Common installation mistakes: terminating every node (drops impedance below specification), sharing the RS-485 cable with mains feeders (induced noise), routing the GSM antenna inside a steel cabinet (lost signal), and a single global power rail with no per-zone fusing (one bad short takes down the whole site).

10 — Troubleshooting Guide

A whole RS-485 segment goes silent

Almost always a bus-layer problem: missing termination, A/B swap, or a short between A and B on a stub. Confirm 60 Ω across A/B with all devices off, walk the segment looking for the most recently added node, and check that segment power is present at the far end of the run. The master's bus diagnostic LED is a quick first-line indicator.

The master keeps falling back to GSM unnecessarily

Either the Ethernet link is genuinely intermittent (check the switch port counters), or the heartbeat threshold is too aggressive. ICM-GE marks Ethernet as down after a configurable number of consecutive missed heartbeats; on lossy networks this needs to be relaxed. Don't suppress the failover entirely — that defeats the point of the hybrid uplink.

GSM is reported online but with weak signal

Move the antenna. A magnetic-mount antenna on the cabinet door, or routed to an external wall, typically gains 10–15 dB over an antenna stuffed inside a steel enclosure. Carrier coverage in the basement service rooms of older buildings is often the binding constraint.

Authorisation works locally but events do not appear in the management server

The uplink is down, or TLS to the server is failing. Check the master's uplink status LED and the server-side endpoint. Events are buffering locally and will sync when the link recovers; no data is being lost. If the buffer approaches its limit, the master raises a "log buffer full" alert.

New users added on the server do not arrive at the master

The pull side of the sync is failing. Check that the master is authenticating successfully to the server (TLS certificate, API token), and check the management server's outbound queue. A bad TLS chain after a server certificate renewal is a frequent cause; rotate the trusted root and re-establish the connection.

11 — How ICM-GE Compares to Alternatives

Cloud-only access controllers. Cheaper at the controller but pay the price every time the WAN is down — authorisation latency climbs, and an internet outage becomes an access outage. ICM-GE does authorisation locally; the cloud is for management, not for the critical path.
Ethernet-only controllers without GSM backup. Fine in office buildings with redundant internet, problematic everywhere else. The hybrid Ethernet + GSM uplink in ICM-GE was sized specifically for the typical building reality where the ISP is the single point of failure.
IP-per-door controllers. Maximally flexible, maximally expensive, and require structured cabling to every door. Most retrofit projects in this region do not have that. RS-485 BUS on a single twisted pair to all readers is dramatically cheaper to install.
Generic Wiegand panels. Carry cleartext credentials on long cable runs and have no anti-replay protection on the wire. ICM-GE paired with URX-Secure (or W2R-N for legacy readers) eliminates that exposure.

12 — Current Implementation vs Roadmap

ICM-GE is the in-production infrastructure master for AXON installations and is in stock as of this writing.

Shipping today

Hybrid Ethernet 10/100 + GSM uplink (Vala, IPKO and other carriers).
RS-485 BUS to nodes — URX-Secure, W2R-N and other AXON nodes.
Up to 120 access points per PCB.
Local encrypted validation with bounded local event log.
OTA firmware updates over Ethernet (with GSM fallback for small images).
Advanced logging with per-event reason codes and access-point attribution.
12–24 V DC, 4–8 W operating envelope.

On the roadmap

Encrypted node firmware update push — propagating OTA updates from the master to URX-Secure and W2R-N nodes over RS-485 with signed payloads.
Per-zone bus diagnostics in the management server, including segment health scoring and predictive bus-error alerts.
Hardware-rooted device identity for the master, replacing config-file API tokens with a per-unit certificate provisioned at manufacture.
Integration adapters for common property-management and HR systems so user lifecycle events flow into AXON without manual data entry.

13 — Key Takeaways

ICM-GE is the master for non-cabin access points: doors, ramps, floors, garages. Cabin access is handled by AXON CCU-32 separately.
Hybrid Ethernet + GSM uplink means a single ISP outage does not become an access outage.
Local encrypted validation is the architectural property that lets the site keep working when the cloud cannot be reached.
Up to 120 access points per PCB on segmented RS-485 BUS; size by cable plan, not by reader budget.
In stock today; node-side OTA over RS-485 and hardware-rooted identity are next on the roadmap.

14 — Frequently Asked Questions

How many access points can a single ICM-GE handle?

Up to 120 per PCB. Practical limits per RS-485 segment are set by the bus topology and length; large sites are segmented into multiple RS-485 busses back to the same master.

Why does ICM-GE have both Ethernet and GSM uplinks?

So a single ISP failure does not become a site outage. Ethernet is the primary, faster path; GSM (Vala, IPKO and others) is the automatic backup for heartbeats and authorisation traffic.

What happens when the uplink to the management server is down?

The site keeps working. Authorisation is local; events buffer to the local log and sync when the uplink recovers.

Which RS-485 nodes can connect to ICM-GE?

AXON URX-Secure readers, AXON W2R-N legacy bridges, and AXON I/O nodes. All share the same physical RS-485 BUS, each individually addressed.

What does "local encrypted validation" mean?

Authorisation is decided on-site from a local user database (local), and credentials are exchanged with readers in encrypted form on the bus (encrypted).

Does ICM-GE support OTA firmware updates?

Yes, with signed images over Ethernet (preferred) or GSM (fallback). Node-side OTA over RS-485 is on the roadmap.

What power does ICM-GE need?

12 V or 24 V DC, 4–8 W operating. Budget 15 W supply headroom plus the loads of any readers/relays on the same rail.

Can it handle elevator cabin access?

No — cabin access uses the AXON CCU-32 cabin master. ICM-GE is for non-cabin access points.

What is the difference between ICM-GE and ICM-LR?

ICM-GE uses Ethernet + GSM uplink (in-building / standard internet). ICM-LR uses LoRa (long-range, low-bandwidth) for campuses, parking lots and fragmented sites where cabling is impractical.

Is ICM-GE shipping today?

Yes, in stock. Typical lead time from local stock is one to two weeks.

15 — Related Guides and Products

16 — Get an ICM-GE Quote for Your Site

Planning a building-wide access upgrade in Kosovo, Albania or the wider region? We can size the bus, segment the RS-485 plant, configure the Ethernet and GSM uplink for your environment, supply units from local stock and support commissioning. Typical lead time for standard configurations is one to two weeks.

View in Store Request Quote

References and Standards

External standards and technical specifications referenced in this guide: