cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2781
Views
5
Helpful
25
Replies

EEM With TCL Script

s-pirrello
Level 1
Level 1

Hi,

When I have AAA enabled for authentication pointing to my ACS server for domain authentication, the EEM with TCL scripts will not perform. If I configure my routers to utilize local authentication, the scripts successfully execute the commands. Any ideas?

2 Accepted Solutions

Accepted Solutions

I think I see the problem. It IS with EEM. The bug is CSCsz70112. It has to do with the way the prompt handling code works in EEM when AAA is used. Unfortunately, this will not be fixed in 12.4 mainline. If you upgrade to 12.4(22)T or higher, your script will work.

View solution in original post

Yes. In general, all bug fixes from the previous T train role into the next mainline.

View solution in original post

25 Replies 25

Joe Clarke
Cisco Employee
Cisco Employee

Make sure you have the following command configured:

event manager session cli username USER

Where USER is a username which has access to execute the CLI commands within your EEM policy (e.g. YOUR username).

Jclarke, any chance you could provide a config example on this?

I've tried the exact same thing, but it still doesnt work.

Router is setup to Tacacs auth, and the USER is a local router user, with priv 15.

Thx

The command is quite simple. If I have a user, jclarke, who is authorized to run all of the CLI commands I need to have run in my EEM policy, I would configure:

event manager session cli username jclarke

Then, every time the policy ran, it would send the username jclarke to the AAA server when requesting command authorization.

Thanks jclarke, I ran into the same problem. I will setup a 'AD service account' for this.

Sorry for the late response, I guess my anti-spam server block the reply. I will try this and I thank you again for the help.

PS

I took your IOS Instrumentation class today at Networkers and was very impressed on how in-depth you went into covering TCL and EEM. Thanks and I hope I'm able to come back next year.

Hi Joe,

Looks like I'm still having the same problem. I've attached a copy of my debug, can you take a look and see how I can fix this?

It's taking too long to authorize the user. You need to increase the maxrun for this policy. Add the following to the end of your event registration line:

maxrun 90

That should be sufficient.

Looks like the issue is still occurring. Check out the new attached debug.

It doesn't look like the maxrun change was made properly. when you made the change, did you re-register your policy?

If you're at Networkers, come by the Technical Solutions Clinic, and I can look at this in realtime.

I fixed my issue by adding the username as a local user, with privi 15 on the router.

But please update this post as you come up with further findings :)

Joe,

Here's a copy of my event register within my TCL script:

::cisco::eem::event_register_syslog occurs 1 pattern .*BGP-5-ADJCHANGE.*Down.* maxrun 90 queue_priority low nice 1 maxrun 90

Does this look correct?

Update:

I've added my event user to the router with privilege 15 but still no log. One thing I've noticed on the Administration logs of my ACS I am seeing that the user account is entering "configure terminal" when the script launches but I don't see anything else show up in the logs.

"07/06/2009 13:11:42 netaccount Network Admin configure terminal 15 shell tty323 2324 xxxxx .."

Here are the latest in the errors I'm seeing.

011158: Jul 6 13:12:14.274 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Error reading from vty error from operating system

011141: Jul 6 13:11:41.494 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Process Forced Exit

011142: Jul 6 13:11:41.494 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Process Forced Exit

011143: Jul 6 13:12:14.274 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: error reading the channel: Error reading from vty error from operating system

Right, and you wouldn't because after "config t" is sent, the script times out. The event registration line is correct, but you're most likely not reregistering the policy. Simply making the change is not enough. You need to then unregister the policy, then reregister it:

config t

no event manager policy POLICY

event manager policy POLICY

Only then will changes take effect.

Forgot to mention that I did re-register it with the procedure you're showing:

config t

no event manager policy POLICY

event manager policy POLICY

Still no dice.

Then post the latest debug log. The last log still showed the policy timing out after 20 seconds.

Also, post the output of "show event manager policy registered".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: