EEM With TCL Script

Answered Question
Apr 13th, 2009

Hi,

When I have AAA enabled for authentication pointing to my ACS server for domain authentication, the EEM with TCL scripts will not perform. If I configure my routers to utilize local authentication, the scripts successfully execute the commands. Any ideas?

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 6 months ago

Yes. In general, all bug fixes from the previous T train role into the next mainline.

Correct Answer by Joe Clarke about 7 years 6 months ago

I think I see the problem. It IS with EEM. The bug is CSCsz70112. It has to do with the way the prompt handling code works in EEM when AAA is used. Unfortunately, this will not be fixed in 12.4 mainline. If you upgrade to 12.4(22)T or higher, your script will work.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (3 ratings)
Loading.
Joe Clarke Mon, 04/13/2009 - 18:50

Make sure you have the following command configured:

event manager session cli username USER

Where USER is a username which has access to execute the CLI commands within your EEM policy (e.g. YOUR username).

kelvindam Fri, 05/01/2009 - 00:55

Jclarke, any chance you could provide a config example on this?

I've tried the exact same thing, but it still doesnt work.

Router is setup to Tacacs auth, and the USER is a local router user, with priv 15.

Thx

Joe Clarke Fri, 05/01/2009 - 08:02

The command is quite simple. If I have a user, jclarke, who is authorized to run all of the CLI commands I need to have run in my EEM policy, I would configure:

event manager session cli username jclarke

Then, every time the policy ran, it would send the username jclarke to the AAA server when requesting command authorization.

charlie-hall Mon, 06/15/2009 - 05:04

Thanks jclarke, I ran into the same problem. I will setup a 'AD service account' for this.

s-pirrello Thu, 07/02/2009 - 10:30

Sorry for the late response, I guess my anti-spam server block the reply. I will try this and I thank you again for the help.

PS

I took your IOS Instrumentation class today at Networkers and was very impressed on how in-depth you went into covering TCL and EEM. Thanks and I hope I'm able to come back next year.

s-pirrello Thu, 07/02/2009 - 10:44

Hi Joe,

Looks like I'm still having the same problem. I've attached a copy of my debug, can you take a look and see how I can fix this?

Attachment: 
Joe Clarke Thu, 07/02/2009 - 10:56

It's taking too long to authorize the user. You need to increase the maxrun for this policy. Add the following to the end of your event registration line:

maxrun 90

That should be sufficient.

Joe Clarke Thu, 07/02/2009 - 12:08

It doesn't look like the maxrun change was made properly. when you made the change, did you re-register your policy?

If you're at Networkers, come by the Technical Solutions Clinic, and I can look at this in realtime.

kelvindam Thu, 07/02/2009 - 13:35

I fixed my issue by adding the username as a local user, with privi 15 on the router.

But please update this post as you come up with further findings :)

s-pirrello Mon, 07/06/2009 - 09:19

Joe,

Here's a copy of my event register within my TCL script:

::cisco::eem::event_register_syslog occurs 1 pattern .*BGP-5-ADJCHANGE.*Down.* maxrun 90 queue_priority low nice 1 maxrun 90

Does this look correct?

Update:

I've added my event user to the router with privilege 15 but still no log. One thing I've noticed on the Administration logs of my ACS I am seeing that the user account is entering "configure terminal" when the script launches but I don't see anything else show up in the logs.

"07/06/2009 13:11:42 netaccount Network Admin configure terminal 15 shell tty323 2324 xxxxx .."

Here are the latest in the errors I'm seeing.

011158: Jul 6 13:12:14.274 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Error reading from vty error from operating system

011141: Jul 6 13:11:41.494 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Process Forced Exit

011142: Jul 6 13:11:41.494 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Process Forced Exit

011143: Jul 6 13:12:14.274 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: error reading the channel: Error reading from vty error from operating system

Joe Clarke Mon, 07/06/2009 - 09:22

Right, and you wouldn't because after "config t" is sent, the script times out. The event registration line is correct, but you're most likely not reregistering the policy. Simply making the change is not enough. You need to then unregister the policy, then reregister it:

config t

no event manager policy POLICY

event manager policy POLICY

Only then will changes take effect.

s-pirrello Mon, 07/06/2009 - 09:24

Forgot to mention that I did re-register it with the procedure you're showing:

config t

no event manager policy POLICY

event manager policy POLICY

Still no dice.

Joe Clarke Mon, 07/06/2009 - 09:27

Then post the latest debug log. The last log still showed the policy timing out after 20 seconds.

Also, post the output of "show event manager policy registered".

s-pirrello Mon, 07/06/2009 - 09:49

I've attached the debug in a text file.

Here's the output you requested.

RTR-LAB-2811-1#show event manager policy registered

No. Class Type Event Type Trap Time Registered Name

1 script user syslog Off Mon Jul 6 13:24:02 2009 sendmail-bgp-mpls-enterprise-test.tcl

occurs 1 pattern {.*BGP-5-ADJCHANGE.*Down.*}

nice 1 queue-priority low maxrun 90.000

Attachment: 
Joe Clarke Mon, 07/06/2009 - 10:00

The debug doesn't run long enough, but it really looks like the problem is with AAA and not EEM. Try configuring local AAA authorization, and see if the policy works:

aaa authorization exec default local none

Of course, you'll need a local username definition.

s-pirrello Mon, 07/06/2009 - 10:05

That's the issue I'm experiencing. If I use local authentication, it works fine. If I point AAA to speak to ACS for domain authentication, it won't work.

Joe Clarke Mon, 07/06/2009 - 10:08

Post the show run and show ver from this router. There may be a AAA bug.

s-pirrello Mon, 07/06/2009 - 10:24

Here's my show ver:

RTR-LAB-2811-1#sh ver

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(19), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Fri 29-Feb-08 20:07 by prod_rel_team

ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)

RTR-LAB-2811-1 uptime is 13 weeks, 1 hour, 1 minute

System returned to ROM by Reload Command

System restarted at 13:18:56 EDT Mon Apr 6 2009

System image file is "flash:c2800nm-advipservicesk9-mz.124-19.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

[email protected].

Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.

Processor board ID FCZ10077054

11 FastEthernet interfaces

1 Serial interface

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

The file attached is the "sh run".

Attachment: 
Correct Answer
Joe Clarke Mon, 07/06/2009 - 10:33

I think I see the problem. It IS with EEM. The bug is CSCsz70112. It has to do with the way the prompt handling code works in EEM when AAA is used. Unfortunately, this will not be fixed in 12.4 mainline. If you upgrade to 12.4(22)T or higher, your script will work.

s-pirrello Mon, 07/06/2009 - 10:34

Thanks for the update Joe. I will upgrade now and will let you know if this does the trick.

s-pirrello Thu, 07/09/2009 - 03:39

That did the trick. Do you know if the bug be resolved in 12.15?

Correct Answer
Joe Clarke Thu, 07/09/2009 - 06:33

Yes. In general, all bug fixes from the previous T train role into the next mainline.

Actions

This Discussion