Backing Up Cisco IOS CA Router using EEM

Answered Question
Sep 21st, 2009

I have been using the EEM to backup a Cisco IOS CA routers critical files to an ftp server. However, I would like to also backup the .cnm files as well but as the numbers of the change constantly due to certificate renewal I can't name them all. Is it possible to use a wildcard (*.cnm) and loop the routine until it is done?

Correct Answer by Joe Clarke about 7 years 5 months ago

No. You need to pick a directory on flash in which EEM Tcl policies will be stored (e.g. flash:/policies). Then, copy this file to that directory. Then configure the following:


event manager directory user policy flash:/policies


event manager policy tm_ca_backup.tcl

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Mon, 09/21/2009 - 06:55

Yes this is possible using glob. I wrote a simple little Tcl snippet to do this which I posted in this thread:


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dde3b88/0#selected_message


It should plug right into an EEM Tcl policy, but if you require more help adapting this to EEM, let me know.

JHaynes4 Mon, 09/21/2009 - 10:21

Thanks for the quick reply. I am no TCL guru by any stretch of the imagination. In looking at the thread you linked I see two TCL snippets:


set fileList [glob -directory flash: -nocomplain *]

foreach file $fileList {

copy flash:/$file usbflash1:/$file

}


**************************************************************


set fileList [glob -directory flash: -nocomplain *]

foreach file $fileList {

copy $file usbflash1:

}



I'm not sure which one I should use. My use of EEM is limited to the action cli commands so I'm not sure how I would plug this into EEM.

Joe Clarke Mon, 09/21/2009 - 10:33

You would use the second example as the $file variable will have the file system name in it. What does your current EEM backup policy look like?

JHaynes4 Mon, 09/21/2009 - 10:59

OK, thanks for the clarification. Here is what I use now:


event manager applet CA_Backup

event timer cron cron-entry "0 3 * * 0-6"

action 1.0 cli command "enable"

action 2.0 cli command "config t"

action 3.0 cli command "file prompt quiet"

action 4.0 cli command "end"

action 5.0 cli command "copy nvram:ST_3825_CA#1CA.cer ftp://10.111.1.127/"

action 5.1 cli command "copy flash:ST_3825_CA.ser ftp://10.111.1.127/"

action 5.2 cli command "copy flash:ST_3825_CA.crl ftp://10.111.1.127/"

action 5.3 cli command "copy flash:ST_3825_CA_00001.p12 ftp://10.111.1.127/"

action 5.4 cli command "copy flash:DMVPN-CA-Key.pub ftp://10.111.1.127/"

action 5.5 cli command "copy flash:DMVPN-CA-Key.prv ftp://10.111.1.127/"

action 5.6 cli command "copy nvram:startup-config ftp://10.111.1.127/"

action 6.0 cli command "config t"

action 7.0 cli command "no file prompt quiet"

action 8.0 cli command "end"


JHaynes4 Mon, 09/21/2009 - 11:26

Thanks, Joe I could have typed for a few years and never developed this. Forgive my ignorance but do I just paste this into the config?

Correct Answer
Joe Clarke Mon, 09/21/2009 - 11:30

No. You need to pick a directory on flash in which EEM Tcl policies will be stored (e.g. flash:/policies). Then, copy this file to that directory. Then configure the following:


event manager directory user policy flash:/policies


event manager policy tm_ca_backup.tcl

JHaynes4 Mon, 09/21/2009 - 11:34

You should write a book on TCL for Cisco. :-) Thanks for all your help. I will try implementing this today.

yjdabear Mon, 09/21/2009 - 12:03

Does/Can the latest LMS back up Tcl scripts, or is that feature on the road map? What is Cisco's recommended practice for backing up flash-based files such as this?

Joe Clarke Mon, 09/21/2009 - 12:05

No, LMS does not backup arbitrary flash files like it does with vlan.dat. There is discussion about some more EEM management in LMS for a future release.


In the EEM space, we recommend you keep local backups of all your policies, but this must be done manually, or by using another EEM policy to do it.

JHaynes4 Thu, 09/24/2009 - 09:56

Hi Joe,


The script you created worked great the first night but it has failed the last two nights in a row. When I go on the ftp server I can see that it fails at exactly the same file. The file is available and the permissions are OK so I am not sure what the issue might be. Can you help?


I've attached the error log.


Thanks...





Joe Clarke Thu, 09/24/2009 - 10:00

What do you see if you try to copy this file manually to the FTP server?

JHaynes4 Thu, 09/24/2009 - 10:03

Thanks for the quick reply Joe. I just ftp'd manually without issue:


ST_3825_CA#copy flash:C.cnm ftp://10.111.1.127/

Writing C.cnm !

115 bytes copied in 0.040 secs (2875 bytes/sec)

Joe Clarke Thu, 09/24/2009 - 10:06

Okay, then change the first line of the script, and add:


maxrun 600


Then unregister and re-register the policy, and it should work going forward.

JHaynes4 Thu, 09/24/2009 - 10:17

OK, I'm not sure where I am adding the "maxrun 600" to the script.


The first line is:


if [catch {cli_open} result] {

error $result $errorInfo

} else {

array set cli1 $result

}


Joe Clarke Thu, 09/24/2009 - 10:20

No, the first line is:


::cisco::eem::event_register_timer cron cron_entry "0 3 * * 0-6"


You add maxrun 600 to the end of that line.

JHaynes4 Thu, 09/24/2009 - 10:23

Whoops missed that up top. OK, I will do that. Thank you again.

JHaynes4 Fri, 09/25/2009 - 05:46

Just wanted to let you know that the backup still failed to finish completely however it progressed further down the list of files. So increasing the maxrun timer had a positive effect. Is this timer measured in milliseconds? Would it be OK to increase it further without impacting the router adversely?

Joe Clarke Fri, 09/25/2009 - 07:41

The timer is in seconds. Yes, you should continue to increase it until it can copy all of the files.

JHaynes4 Wed, 09/30/2009 - 06:26

Just to let you know the issue was with the FTP server. Once we had that squared away the copy went with no problems. The only wierd thing is it appears to run twice. It does the FTP copies and then

just reruns itself one more time. I can live with that but it is odd.

Joe Clarke Wed, 09/30/2009 - 06:53

That is a known bug, CSCsz12460. It is not yet fixed, and there is no workaround other than converting the cron timer to a watchdog timer.

Actions

This Discussion