Receive snmpv3 traps

Rikshit · March 5, 2021, 6:03pm

Hello,

I am trying to configure a receiver which receives snmpv3 traps from multiple sources. But the problem occurs when more than one source has same username. How to handle such case?

Thanks

AGENTPP · March 6, 2021, 2:28pm

Hi,
Using a (globally) unique engine ID for each device (as required by SNMPv3) will solve this issue.
Best regards
Frank

Rikshit · March 6, 2021, 2:55pm

Thanks for your response. I have one more query : I am trying to fetch the GET request as well as listen for traps from the same source but when I add the user based on engineID in the USM it is not able to receive the traps but it is fetching the GET request values.
I am adding the user as follows:

USM usm = new USM(SecurityProtocols.getInstance().addDefaultProtocols(),
new OctetString(MPv3.createLocalEngineID()), 0);
engineId = new OctetString(snmp.discoverAuthoritativeEngineID(Address, 3000));
usm.addUser(new OctetString(userName),engineId,
new UsmUser(new OctetString(userName),
authProtocol,
new OctetString(authPassphrase),
privProtocol,
new OctetString(privPassphrase)));

Please let me know if I am missing something or whether it is the correct way to add the user.

Thanks,
Rikshit

AGENTPP · March 6, 2021, 3:01pm

You need to specify the engine IDs in the USM according to the authoritative SNMP entity. For requests, that is the command receiver and for traps it is the trap/notification sender.
That means if you want to send requests to an agent and receive traps from that agent, you need to only a single USM user entry with the engine ID of the agent.

When you still not receive the notifications, like you wrote in your posting above, then you most likely did not specify a PDU handler for the remote engine ID in your application.
You do not need to do that if you use Snmp.addNotificationListener method to listen for traps.

Rikshit · March 8, 2021, 10:11pm

Hello Frank,

As you mentioned, I tried with snmp.addNotificationListener() but again I was not able to receive the traps. I have noticed that if I simply add the user without the engineId then I receive the traps but if I add it with the engineId then it is not receiving traps. Since usernames are same so I have to add based on engineId’s.

Code:-
listenAddress = GenericAddress.parse(System.getProperty(“snmp4j.listenAddress”,
“udp:ipAddress/162”));

Snmp snmp = new Snmp(new MessageDispatcherImpl());

USM usm = new USM(SecurityProtocols.getInstance().addDefaultProtocols(),
        new OctetString(MPv3.createLocalEngineID()), 0);
usm.setEngineDiscoveryEnabled(true);
SecurityModels.getInstance().addSecurityModel(usm);
snmp.getMessageDispatcher().addMessageProcessingModel(new MPv3(usm)); 
    engineId = new OctetString(snmp.discoverAuthoritativeEngineID(listenAddress, 5000));  
usm.addUser(new OctetString(userName),engineId,
        new UsmUser(new OctetString(userName),
                authProtocol,
                new OctetString(authPassphrase),
                privProtocol,
                new OctetString(privPassphrase)));

snmp.addNotificationListener( listenAddress, this);
snmp.listen();

I apologise in advance if I am missing something very basic.

Thanks,
Rikshit

AGENTPP · March 8, 2021, 10:31pm

There are two common error sources left to check:

engineId must be different from MPv3.createLocalEngineID() and engineId must match engine ID of the notification sender’s authoritative engine ID.
engineBoots is set to 0. That might not match with the engine boots counter recorded for this receiver at the remote SNMPv3 entity.

Which of the above issues is actually occurring will be indicated be the DEBUG log.

Rikshit · March 9, 2021, 11:29pm

Thank you Frank for pointing out the errors. If I used MPv3.createLocalEngineID() then debug logs showed: CheckTime: received message outside time window (non authoritative)
RFC3414 §3.2.7.a Not in time window;

And when I passed the engine ID of the agent then I was able to receive the traps.

But I have few questions regarding the same:

Do we need to know the engine ID before hand to use that engine ID in the USM?
Since there are more than one source agents , do I need to create separate USM for each because then we need to mention separate engine ID in each?
MPv3.createLocalEngineID() works in snmp4j-2.3.0 jar version but not in snmp4j-2.5.2 version. Why so?

Thanks once again.

AGENTPP · March 9, 2021, 11:44pm

You really need to get a better understanding about the SNMPv3 engine ID concept. Please consult the RFC 3411 and 3414. As written many times in more than 20 years almost all beginners errors with SNMPv3 are caused by not using unique SNMP engine IDs for all communicating entities.

You can discover engine IDs or know them a priori. Which way you go depends on your security and performance requirements.
No, a single USM is enough. Just fix the engine ID to be unique.
The createLocalEngineID changed because many people struggled with the random generation. You should anyway use your own standard compatible way to create unique and stable engine IDs. See the above noted RFCs for details.

Rikshit · March 11, 2021, 12:16am

Thank you Frank for the support and I will do read about the engine ID for better understanding.