Message processing model 3 returned error: Unknown security name

Question

I'm getting Message processing model 3 returned error: Unknown security name error while running get/getNext command for single device. I'm hitting the device every 2 seconds. In order to have better performance, if I want get the different tables. I create thread and access each thread parallely from my application. When I access the device in single threaded mode all request works fine. However when I run it in multi-thread mode I get above error intermittently(2 fails in 10 request). Here is the stack trace.

2014-06-11 11:26:10,371 [http-8080-6] INFO  com.kp.SnmpV3Connection - User Target: Security level is: 3Security Name is: user7
2014-06-11 11:26:10,371 [http-8080-3] INFO  com.kp.SnmpV3Connection - User Target: Security level is: 3Security Name is: user7
2014-06-11 11:26:10,373 [http-8080-6] DEBUG org.snmp4j.security.UsmUserTable - Adding user user7 = UsmUser[secName=user7,authProtocol=1.3.6.1.6.3.10.1.1.3,authPassphrase=kp-pass,privProtocol=1.3.6.1.6.3.10.1.2.4,privPassphrase=kp-pass,localizationEngineID=null]
2014-06-11 11:26:10,373 [http-8080-6] DEBUG org.snmp4j.security.UsmUserTable - Adding user user7 = UsmUser[secName=user7,authProtocol=1.3.6.1.6.3.10.1.1.3,authPassphrase=kp-pass,privProtocol=1.3.6.1.6.3.10.1.2.4,privPassphrase=kp-pass,localizationEngineID=null]
2014-06-11 11:26:10,374 [http-8080-6] DEBUG org.snmp4j.security.USM - Security name not found for engineID=, securityName=75:73:65:72:37
2014-06-11 11:26:10,374 [http-8080-6] DEBUG org.snmp4j.security.USM - Security name not found for engineID=, securityName=75:73:65:72:37
2014-06-11 11:26:10,376 [http-8080-6] ERROR org.snmp4j.util.TableUtils - org.snmp4j.MessageException: Message processing model 3 returned error: Unknown security name
2014-06-11 11:26:10,376 [http-8080-6] ERROR org.snmp4j.util.TableUtils - org.snmp4j.MessageException: Message processing model 3 returned error: Unknown security name

As per the link given here I'm using the below security model:

USM usm = new USM(SecurityProtocols.getInstance(), new OctetString(
                    MPv3.createLocalEngineID()), 0);
SecurityModels.getInstance().addSecurityModel(usm);

The other option noAuthNopriv is not an option for me, I need to run it in authpriv. Could someone point me to the right direction.

I believe its the problem with some snmp session or engineId.

********************** EDIT **********************

After weeks of investigation I finally found that The way I was creating USM object

USM usm = new USM(SecurityProtocols.getInstance(), new OctetString(MPv3.createLocalEngineID()), 0);

I was creating this object for every request and adding into securitymodel resulting in recreation of UserTable and usertime table. I Fixed the issue by Making USM a singleton and there by preventing the USM table re-creation. However I ended-up with new issue, Now I'm getting error

2014-06-24 07:11:19,671 [DefaultUDPTransportMapping_10.110.113.75/0] DEBUG org.snmp4j.mp.MPv3 - SNMPv3 header decoded: msgId=1263968764, msgMaxSize=65535, msgFlags=03, secModel=3
2014-06-24 07:11:19,671 [DefaultUDPTransportMapping_10.110.113.75/0] DEBUG org.snmp4j.security.USM - getUser(engineID=80:00:05:49:04:4d:49:4d:49:43, securityName=user10)
2014-06-24 07:11:19,671 [DefaultUDPTransportMapping_10.110.113.75/0] DEBUG org.snmp4j.security.UsmTimeTable - CheckTime: received message outside time window (non authoritative)
2014-06-24 07:11:19,671 [DefaultUDPTransportMapping_10.110.113.75/0] DEBUG org.snmp4j.security.USM - RFC3414 ?3.2.7.a Not in time window; engineID='80:00:05:49:04:4d:49:4d:49:43', engineBoots=5, engineTime=58766
2014-06-24 07:11:19,671 [DefaultUDPTransportMapping_10.110.113.75/0] WARN  org.snmp4j.MessageDispatcherImpl - statusInfo=1.3.6.1.6.3.15.1.1.2.0 = 0, status=1411

After somemore investigation I found that snmp4j is not updating enginetime both its own and device engine time in UserTimeTable.

---

In addition to this problem I've few more queries.

1. If I make USM a singleton USM table will be have its life per my application. How can clear this table(I may have tens of thousand device which may result eventually to out of memory). On what basis I can clear this users?

2. How can I make SNMP4J to explicitly ask for engineboots and enginetimes

3. How SNMP4J differentiates device if it has same user name and security name but different authphrase and privacy phrase and(possibly same engineId as will) Thanks in advance.

Answer 1

When I made USM a singleton and there by have single UsmUserTable, the security model issue was solved.

USM usm = USMFactory.getInstance();

And received message outside time window was the problem with device I had confiugred. All the device had same engineId. When I made engineId unique the issue was solved.

Answer 2

To augment the @Karthik Prasad's answer, I'd like to note that as of snmp4j v2.8.6 there is no USMFactory class. Therefore the solution may look like this:

public class SnmpDeviceProxy {    // one of your application classes
 
  public static final USM USM;
  static {
    // extract USM into a singleton to avoid multiple userTable instances creation that causes 'UnknownSecurityName'
    USM = new USM(SecurityProtocols.getInstance(), new OctetString(MPv3.createLocalEngineID()), 0);
    SecurityModels.getInstance().addSecurityModel(USM);
  }

---

The issue details

Before making the USM a singleton, each time when we call SecurityModels.getInstance().addSecurityModel(USM) we actually don't add a new model but rewrite the same one over and over again because the addSecurityModel does just this:

  public SecurityModels addSecurityModel(SecurityModel model) {
    securityModels.put(new Integer32(model.getID()), model);
    return this;
  }

, i.e. puts the model into a map with a key taken from model.getId() method that in turn takes its value from the constant:

  public int getID() {
    return SECURITY_MODEL_USM;
  }

declared as discouragingly as:

  public static final int SECURITY_MODEL_USM = 3;

In other words, no matter what USM instance we're trying to add, it will always be stored into the securityModels map with the key 3. And every time it's stored, we lose the previous state of the userTable because it is a child object (field) of each USM instance. As a result, if we call addSecurityModel immediately after creating a USM instance, we open a time period when userTable is empty or incomplete. If a thread queries the table during this period, it gets Unknown security name. But if we make the USM a singleton and store it only once, we can update the model map without losing the previous values.