Hello,
First I have to mention I have to use SNMP4J version 1.7.6a for specific reasons.
In our application, we have to deal with 2 different SNMP v3 agents, each with a specific security name / auth/priv.
When setting up only one or the other, it works, but when setting both, the first one fail. Here how we do it (same code for both classes who manage each agent) :
this.snmp = new Snmp(new DefaultUdpTransportMapping());
final OctetString osLocalEngineID = new OctetString(MPv3.createLocalEngineID());
final USM usm = new USM(SecurityProtocols.getInstance(), osLocalEngineID, 0);
SecurityModels.getInstance().addSecurityModel(usm);
this.snmp.listen();
final OctetString sName = new OctetString(securityName);
final OctetString authPass = new OctetString(authPassPhrase);
final OctetString privPass = new OctetString(privacyPassPhrase);
final UsmUser user = new UsmUser(sName, AuthSHA.ID, authPass, PrivDES.ID, privPass);
usm.addUser(sName, user);
I assume the problem come from the fact we create 2 different USM with their USMUser, when there’s only one SecurityProtocol.getInstance / SecurityModels.getInstance().
Is there no way to manage different devices in the same JVM ? Seems unlikely.
I saw there was in more recent version a way to pass a scecific USM to a SNMP instance, via MPv3(USM usm) constructor, but is there a way to do it in 1.7.6a where such constructor doesn’t exist ?
I’d like to add some precisions :
The first class use its SNMP instance to send periodically GET PDUs to agent 1.
The second class use its SNMP instance to listen and catch traps from the agent 2.
I tried another solution : using only one USM for both classes, and adding to it the two different USMUser. Is that the better way to do it ?
This solution doesn’t work either for me, but it’s better. It fails for a different reason :
It initially works for both classes, then after a few minutes if I try to send a trap from agent 2 (correctly catched by class 2), then the PDU GETs begin to timeout. In debug I see the snmp response mentions “not in time window”, with engineTime increasing.
If I either :
restart my java app
restart the agent 1
Then the pdu get work correctly again.
I fail to understand the link between the two classes, and the impact of catching trap from one to sending GET to the other, when they have their own SNMP instance. The only common objects between them is the USM and the singleton classes from SNMP4J itself.
I think the root cause is that agent 1 and 2 and/or the SNMP4J Snmp instance (the USM singleton) are using the same engine ID which is not allowed and not supported by the SNMPv3 standard!
Thanks a lot for your answer and your time, Franck.
About engineIds :
Agent 1 et 2 have different ones.
SNMP instance 1 and 2 have also different ones (set by snmp.setLocalEngine(localEngineId, 0, 0); at startup). The engineId set in the snmp instance 2 is also the one passed to USM constructor. Is that a mistake ?
What I don’t understand when using a single USM for two SNMPs : what does the engineId passed to the USM constructor ? Does it need to be unique as well ? If not, how can a single USM with its own engineId be used with several SNMP instances ?
It’s the USM checking the time window when receiving a message, isn’t it ? Can it deal with both of them ? To be accurate, the problem I have is when I restart agent 2 after some time, agent 1 response are rejected by the usm instance for being “not in time window”.
So how can I use different SNMP simultanously if USM can only deal with one engineID ?
Sorry if my question is naive, but how would that work when SNMP constructor needs transportMapping, and thus specific agent adress ? How can an SNMP instance work for multiple agents ?
How should I construct this single SNMP instance then ?
The two agents it needs to deal with have different Adress and port, is there a way to put multiple transportMapping by SNMP ?
I apologize for bothering you about this, as this matter is from over a year ago.
I have a requirement to build a data acquisition layer for SNMP devices, which means I need to collect signals from thousands of devices simultaneously and receive alarms. If all devices use the SNMPv3 protocol, will using only one SNMP instance cause performance issues or other problems? If each device has its own SNMP instance, since SNMPv3 users are stored in a shared USM, will the same problems arise? What about alarms? Will there be performance issues with alarms as well? What are your recommendations for using SNMP4J in this scenario?
The simple answer is always: use a single Snmp instance if you can. If you have same usernames with different passwords on different devices in the field, then you need to use DirectUserTargets (only available with the latest SNMP4J version) or several USMs.
There will be no performance impact, because the performance is mainly defined by
Encryption: Convert a plain text password to a key only once and not for every request!
Response processing: The processing of a response must be decoupled by multi-threading as much as possible. Otherwise the processing of other responses will be delayed!
Alarm processing is the same as response processing.
That’s it. Using multiple Snmp instances will not increase overall performance, the opposite will be true in most cases.
I saw the comment in DirectUserTarget: “the {@code DirectUserTarget} does not refer to user information of a USM Local Configuration Storage except for caching engine times and boot counter for the authoritative engine ID.”
Does this mean that SNMP requests using DirectUserTarget no longer retrieve SNMPv3 user information from the unified shared USM? How does it then handle the requests? Is it similar to obtaining a token after the first request, and then using it for subsequent requests?
Finally, I am also curios, have you ever encountered situations where you need to use multiple SNMP instances? I’d like to understand those scenarios and compare them to my currenr situation.
Yes. The direct user target object directly stores the key data and this data is handed over to the TransportMapping for sending request and receiving responses. This concept does not work for receiving INFORM requests and notifications though.