Problem with receiving SNMPv3 traps with authentication

Hello,

I have a problem with receiving SNMPv3 authPriv traps on my own Java trap receiver.

When using snmptrap command on the Linux terminal with authPriv option then the trap is never received on my Java trap receiver regardless of which authentication is used: MD5, SHA or SHA-256. Only if there is noAuthNoPriv used then the trap is received.

In my Java trap receiver the snmp4j library is used. An important note is that my Java traps receiver receives authPriv traps, regardless of which authentication is used, only when the trap is sent from my own Java trap sender with snmp4j (for all authentication protocols). Also snmptrapd daemon receives authPriv traps which are sent from own Java application with snmp4j and from terminal (with snmptrap).

I think it’s not a problem with engine ID because when the noAuthNoPriv SNMPv3 trap from terminal is sent then the engine ID is also used and when I set incorrect engine ID then the noAuthNoPriv trap is not received.

I’m using Net-SNMP 5.9 on Linux Mint and „snmp4j-2.7.0”.

Could someone help me in receiving the authPriv traps on Java application with snmp4j?

Best regards,
Michael

Hi Michael,
As already written on the NET-SNMP mailing list, I am nearly sure that this is an error in the USM configuration of your trap receiver. In the USM you need to add the user authentication and privacy keys localized to the engine ID of the trap sender.

It is not a proof that the engine ID stuff is correctly setup when noAuthNoPriv is working, because in that case USM key localization is never used.

Best regards,
Frank

Sorry for such a large number of posts but I have been solving the problem meantime and I have found that the problem is in the msgAuthoritativeEngineTime. This value was set to “0” in my own trap sender and in the receiver so the traps were received properly. When I set the large value, e.g. 1025486 (not zero) in the snmptrap command and in my trap receiver, then the traps are received properly.
So now if I have to set the same value of msgAuthoritativeEngineTime in my device trap sender and in my Java receiver? I noticed that after about 10 minutes since receiver started, traps are not received and I must reboot my traps receiver, why?

Best regards,
Michael

There is also one notice that may be important: traps sent from Java application and from terminal have different msgAuthoritativeEngineTime - from Java it is always “0” and from terminal it is always a big 7 digit number.

Best regards,
Michael

Hi,
I wonder if this is a USM configuration problem in my receiver because receiver receives authPriv traps, when the trap is sent from my Java traps sender with snmp4j with the specified engine ID which is set on the sender and receiver (engine ID is used properly because when I set incorrect ID then the trap is not received). In Wireshark, traps which are sent from terminal and my Java application look the same.
How it is possible that my receiver receives authPriv traps from another Java application?

Best regards,
Michael

I have used LogFactory.
When the trap is sent from my Java appliction there is no errors, but when it is sent from terminal (snmptrap) there is log message:
“Message from 127.0.0.1/45710 not dispatched, reason: statusInfo=1.3.6.1.6.3.15.1.1.2.0 = 0, status=1411”.

The msgAuthoritativeEngineTime is the time notion of the trap sender (in your case). The time notion for the engine ID of the sender must not diverge more than 150 seconds. Otherwise a replay attack is assumed. The trap receiver will adjust its time notion for the engine ID of the sender whenever it receives a trap.
The communication fails if the times differ too much. In your case, that was exactly what happened.
Another important value is the snmpEngineBoots. It is increased by one whenever an engine rebooted and the time was reset. When your sender does not increase that value after the reboot, then communication will fail too.

So now I have to implement updating the msgAuthoritativeEngineBoot and msgAuthoritativeEngineTime to be compatible with sender.

• Should I first send an empty get message to read this values or maybe there is another way?
• How to updating this values later?
• What is the cause that in my test with snmptrap, after about 10 minutes since receiver started, traps are not received and I must reboot my traps receiver (Terminal sender and Java receiver have the same msgAuthoritativeEngineBoot and msgAuthoritativeEngineTime values)?
• I’d like to ask by the way it is possible in snmp4j to turn off authentication on the trap receiver for the authPriv traps (same as disable authorization in snmptrapd)?

1. Sending any GET type message will not help, because the trap receiver is not authoritative (see RFC 3414).
2. You can calculate the right values to be used as snmptrap parameters manually - which is not fun at all obviously. Maybe NETSNMP has some options to do that? If not, you can only increase the snmpEngineBoots value by 1 each time you send a trap (not the best security but ok). Knowing these issues, why are you using NETSNMP snmptrap tool at all?
3. The cause for the needed “restart” is snmpEngineBoots and/or snmpEngineTime mismatch in sender and receiver that you caused by using snmptrap with inconsistent values for these parameters.
4. You cannot disable authentication for an authenticated notification in SNMP4J! That does not make any sense, really

1. Sending any GET type message will not help, because the trap receiver is not authoritative (see RFC 3414).

Isn’t possible to send an SNMPv3 message, with null engine ID, boot and time values? Then I will receive a REPORT packet back, which includes this missing information.

1. You can calculate the right values to be used as snmptrap parameters manually - which is not fun at all obviously. Maybe NETSNMP has some options to do that? If not, you can only increase the snmpEngineBoots value by 1 each time you send a trap (not the best security but ok). Knowing these issues, why are you using NETSNMP snmptrap tool at all?

I’m using NETSNMP only to simulate my device.
Increasing the snmpEngineBoot maybe would be good but how to synchronize the snmpEngineTime?

If you increase snmpEngineBoot by 1 for each trap, then you can/should set snmpEngineTime to 0 always.

No, that works only for REQUEST SNMPv3 messages. Please read RFC 3414 about authoritative engine for the different SNMPv3 messages.

I have noticed in Wireshark that after starting my Java trap receiver, there is a get message sent which has no engine ID, and engineBoot and engineTime are equals zero. Then the report message with missing parameters is reveived.
I would like to ask if the snmp4j update this parameters from report automatically?

I would like to add that this report message contains “1.3.6.1.6.3.15.1.1.4.0” OID.

The report OID means: usmStatsUnknownEngineIDs
That engine ID discovery message does not make sense. Where is it originated from? That message discovers the engine ID of the trap receiver, but the trap sender must send its own engine ID. Therefore the discovery is useless (for being able to send SNMPv3 traps/notifications)

I have adjusted the engineBoot and engineTime parameters on the device and now the Java trap receiver works properly.
Thank’s very much fo your help.

Best regards,
Michael

Hi,
I have one more question: is it possoble to turn off the engineTime counter on the snmp4j trap receiver automatically?
I can also do it manually by resetting the counter i.e. every 2 minutes.

Best regards,
Michael

Hi Michael,
You cannot configure SNMP4J to not check the engineTime, but you can implement and use your own USM that does not check the engineTime.
Best regards,
Frank

So if I want to do this, do I have to create my own USM object and there is no parameter for USM which turns off engineTime checking?

Best regards,
Michael