Solved: How to use EEM to telnet to another device and run commands there

jszumili · ‎07-24-2015

Hi. I am trying to set up EEM on SW1 to telnet to SW2 and run some commnds there. Is it possible? It seems my EEM script dies after the telnet command.

EEM cli debug partial output:

*Jul 24 12:47:19.775: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : CTL : cli_open called.
*Jul 24 12:47:19.775: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : VSS-cluster>
*Jul 24 12:47:19.775: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : IN : VSS-cluster>enable
*Jul 24 12:47:19.787: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : VSS-cluster#
*Jul 24 12:47:19.787: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : IN : VSS-cluster#telnet 10.10.123.2
*Jul 24 12:47:39.815: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : CTL : cli_close called.

And this is how I tried to configure it on SW1:

int L10
ip add 10.10.10.10 255.255.255.255
!
track 10 ip sla 10 reachability
!
ip sla 10
icmp-echo 10.10.10.10
timeout 500
threshold 500
frequency 1
ip sla schedule 10 life forever start-time now
!
event manager applet TEST_L10
event track 10 state down
action 1.1 syslog msg "*** Ping was unsuccessful, SF is DOWN! ***"
action 1.2 cli command "enable"
action 1.3 cli command "telnet 10.10.123.2"
action 1.4 cli command "cisco"
action 1.5 cli command "enable"
action 1.6 cli command "cisco"
action 1.7 cli command "conf t"
action 1.8 cli command "int L11"
action 1.9 cli command "ip add 11.11.11.11 255.255.255.255"

So if I shut down loopback10 on SW1 EEM is supposed to telnet to SW2 (10.10.123.2) and create a loopback11 on SW2. Maybe the script itself should be done differently?

Thank you.

Vinit Jain · ‎07-24-2015

You need to keep using the pattern keyword until you're done interacting with the remote device.

action 1.4 cli command "cisco" pattern ">"

action 1.5 cli command "enable" pattern "Password:"

action 1.6 cli command "cisco" pattern "#"

Hope this helps

Vinit

Thanks
--Vinit

View solution in original post

Vinit Jain · ‎07-24-2015

You need to keep using the pattern keyword until you're done interacting with the remote device.

action 1.4 cli command "cisco" pattern ">"

action 1.5 cli command "enable" pattern "Password:"

action 1.6 cli command "cisco" pattern "#"

Hope this helps

Vinit

Thanks
--Vinit

jszumili · ‎07-24-2015

Hi Vinit. Thanks a lot :)

The script was amended as follows:

event manager applet TEST_L10
event track 10 state down
action 1.1 syslog msg "*** Ping was unsuccessful, SF is DOWN! ***"
action 1.2 cli command "enable"
action 1.3 cli command "telnet 10.10.123.2" pattern "Password:"
action 1.4 cli command "cisco" pattern ">"
action 1.5 cli command "enable" pattern "Password:"
action 1.6 cli command "cisco" pattern "#"
action 1.7 cli command "conf t" pattern "#"
action 1.8 cli command "int L11" pattern "#"
action 1.9 cli command "ip add 11.11.11.11 255.255.255.255" pattern "#"

And it worked. After shutting down loopback10 on SW1 a loopback11 was automatically created on SW2 and EEM debugs show the same.

I still have another issue .. In the actual device I want to make changes on (FWSM) the enable password is blank. I am able to login but I am not able to go to exec mode. I tried "/n", "y" and "/r" as control return but none seem to be working - debug stops at when I try to do enter. Also "" does not seem to be supported by the EEM script. Here is what I've been trying:

no event manager applet TEST_L10
event manager applet TEST_L10
event track 10 state down
action 1.1 syslog msg "*** Ping was unsuccessful, SF is DOWN! ***"
action 1.2 cli command "enable"
action 1.3 cli command "session switch 2 slot 3 proc 1" pattern "Password:"
action 1.4 cli command "cisco" pattern ">"
action 1.5 cli command "enable" pattern "Password:"
action 1.6 cli command "/n" pattern "#"
action 1.7 cli command "failover active" pattern "#"

Debug:

*Jul 24 14:13:18.003: %TRACKING-5-STATE: 10 ip sla 10 reachability Up->Down
*Jul 24 14:13:18.003: %HA_EM-6-LOG: TEST_L10: *** Ping was unsuccessful, SF is DOWN! ***
*Jul 24 14:13:18.007: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : CTL : cli_open called.
*Jul 24 14:13:18.007: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : VSS-cluster>
*Jul 24 14:13:18.007: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : IN : VSS-cluster>enable
*Jul 24 14:13:18.019: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : VSS-cluster#
*Jul 24 14:13:18.019: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : IN : VSS-cluster#session switch 2 slot 3 proc 1
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : The default escape character is Ctrl-^, then               x.
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : You can also type 'exit' at the remote promp              t to end the session
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : Trying 127.0.1.31 ... Open
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT :
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT :
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : User Access Verification
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT :
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : Password:
*Jul 24 14:13:18.031: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : IN : cisco
*Jul 24 14:13:18.243: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : Type help or '?' for a list of available com              mands.
FWSM> 4 14:13:18.243: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT :
*Jul 24 14:13:18.243: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : IN : enable
*Jul 24 14:13:18.455: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : enable
*Jul 24 14:13:18.455: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : OUT : Password:
*Jul 24 14:13:18.455: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : IN : /n
VSS-cluster(config-if)#
*Jul 24 14:13:38.067: %HA_EM-6-LOG: TEST_L10 : DEBUG(cli_lib) : : CTL : cli_close called.

Thank you.

Joanna

Vinit Jain · ‎07-24-2015

Can you try using \n instead of /n.

Thanks
--Vinit

jszumili · ‎07-24-2015

I just tried but did not work. The debug is similar and no changes were done on the FWSM. I wonder if it would be different because it is FWSM?

Thank you.

Vinit Jain · ‎07-24-2015

Are we sure that when we enter the password for FWSM, the prompt is # instead of >.

Could you please verify the same. Also, did you try to leave the command as "" blank.

Thanks
--Vinit

jszumili · ‎07-24-2015

Yes, it should be fine. It is for the enable passoword - sorry maybe I was not clear. I tried to test the script and configured enable password in the firewall and the script works:

no event manager applet TEST_L10
event manager applet TEST_L10
event track 10 state down
action 1.1 syslog msg "*** Ping was unsuccessful, SF is DOWN! ***"
action 1.2 cli command "enable"
action 1.3 cli command "session switch 2 slot 3 proc 1" pattern "Password:"
action 1.4 cli command "cisco" pattern ">"
action 1.5 cli command "enable" pattern "Password:"
action 1.6 cli command "cisco" pattern "#"
action 1.7 cli command "failover active" pattern "#"

The script itself seems to be correct, just can't get the blank enable passoword working.

As for "" EEM on the switch does not seem to support it:

VSS-cluster(config-applet)# action 1.6 cli command "" pattern "#"
^
% Invalid input detected at '^' marker.

VSS-cluster(config-applet)#action 1.6 cli command ""?
% Unrecognized command
VSS-cluster(config-applet)#action 1.6 cli command "" ?
% Unrecognized command

Vinit Jain · ‎07-24-2015

I think the best workaround is to set an enable password for the FWSM.

Thanks
--Vinit

jszumili · ‎07-24-2015

Yeah, that worked. We will see if that is possible to change it in the device we want to set it up. Thank you for all your help.