Solved: SNMP Trap notification trigger issue

rodrigo.magno · ‎03-08-2016

Hey all, I need some help with the TCL scripting. I've deploying the TCL scripts to be triggered by an SNMP notification but they are not working; on the routers I have it installed on the TCL script doesn't kick off when it receives the trap.

Here is the script for receiving the trap:

::cisco::eem::event_register_snmp_notification oid 1.3.6.1.4.1.33333.2.0 oid_val "New NHC" op eq

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]

set acl_ip {}

if [catch {cli_open} result] {

error $result $errorInfo

} else {

array set cli1 $result

}

if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {

error $_cli_result $errorInfo

}

if {$_cerrno !=0} {

set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" $_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]

error $result

}

foreach snmp_item [array names arr_einfo 1_3_6_1_4_1_33333_3_0 ] {

if [catch {cli_exec $cli1(fd) "show access-list INBOUND | i $arr_einfo($snmp_item) "} _cli_result] {

error $_cli_result $errorInfo

}

set acl_data $_cli_result

foreach acl_line [split $acl_data "\n"] {

if [regexp {[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+} $acl_line acl_ip] {

lappend acl_ip $acl_ip }

}

if { $acl_ip == {}} {

if [catch {cli_exec $cli1(fd) "configure terminal"} _cli_result] {

error $_cli_result $errorInfo

}

if [catch {cli_exec $cli1(fd) "ip access-list extended INBOUND"} _cli_result] {

error $_cli_result $errorInfo

}

if [catch {cli_exec $cli1(fd) "no deny ip any any log"} _cli_result] {

error $_cli_result $errorInfo

}

if [catch {cli_exec $cli1(fd) "permit ip host $arr_einfo($snmp_item) any"} _cli_result] {

error $_cli_result $errorInfo

}

if [catch {cli_exec $cli1(fd) "deny ip any any log"} _cli_result] {

error $_cli_result $errorInfo

}

if [catch {cli_exec $cli1(fd) "end"} _cli_result] {

error $_cli_result $errorInfo

}

if [catch {cli_exec $cli1(fd) "write memory"} _cli_result] {

error $_cli_result $errorInfo

}

action_syslog priority warning msg "Host $arr_einfo($snmp_item) added to the INBOUND access-list"

}

and the config on that router for SNMP:

snmp-server community ****** RO 23

snmp-server trap-source GigabitEthernet2

snmp-server manager

and the debug of it receiving the trap:

*Mar 3 12:33:33.736: SNMP: Packet received via UDP from 10.20.249.253 on Tunnel1
*Mar 3 12:33:33.736: SNMP: V2 Trap, reqid 3353, errstat 0, erridx 0
sysUpTime.0 = 287828652
snmpTrapOID.0 = enterprises.33333.1.0.1
enterprises.33333.2.0 = New NHC
enterprises.33333.3.0 = 60.199.50.34

Joe Clarke · ‎04-11-2016

I was finally able to test this locally, and it works for me. I registered this policy on a 1941 running 15.5(2)T1:

::cisco::eem::event_register_snmp_notification oid 1.3.6.1.4.1.33333.2.0 oid_val 1234 op eq direction incoming

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]
set acl_ip {}

if [catch {cli_open} result] {
    error $result $errorInfo
} else {
    array set cli1 $result
}
if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
    error $_cli_result $errorInfo
}

if {$_cerrno !=0} {
    set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" $_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
    error $result
}

action_syslog msg "Executed policy successfully"

Then, I tested it using the net-snmp snmptrap command:

snmptrap -v 1 -c public pi-rsquared enterprises.33333.1 192.168.1.1 6 1 '' enterprises.33333.2.0 i 1234 enterprises.33333.3.0 a 60.199.50.34

And here's what I see:

Apr 11 12:49:23.261: SNMP: Packet received via UDP from 192.168.1.1 on Vlan1
Apr 11 12:49:23.261: SNMP: V1 Trap, ent enterprises.33333.1, addr 192.168.1.1, gentrap 6, spectrap 1
enterprises.33333.2.0 = 1234
enterprises.33333.3.0 = 60.199.50.34
Apr 11 12:49:23.269: dest ip addr= 192.168.1.39

Apr 11 12:49:23.269: dest if_index = 14

Apr 11 12:49:23.853: %HA_EM-6-LOG: sn_trap_test.tcl: Executed policy successfully

What you might be seeing is a bug with trap reception on Tunnel interfaces. Can you try sending the trap so that the device receives it on a non-tunnel interface?

View solution in original post

Joe Clarke · ‎03-08-2016

There is a bug where EEM doesn't process v2 traps. Make sure you send traps as v1 and it should trigger.

rodrigo.magno · ‎03-09-2016

Thanks Joe for that, but still on luck :(

*Mar 9 11:43:47.156: SNMP: Packet received via UDP from 10.20.249.253 on Tunnel1
*Mar 9 11:43:47.156: SNMP: V1 Trap, ent enterprises.33333.1, addr 10.20.249.253, gentrap 6, spectrap 1
enterprises.33333.2.0 = New NHC
enterprises.33333.3.0 = 60.199.50.34

I also had "debug event manager all" on and nothing happened at all.

Joe Clarke · ‎03-09-2016

Try changing your 2.0 OID to be an integer and match on the integer value.

rodrigo.magno · ‎03-10-2016

Hey Joe, tried that, no change:

Insights_Tech_DMVPN_RT2#
*Mar 10 15:29:02.659: SNMP: Packet received via UDP from 10.20.249.253 on Tunnel1
*Mar 10 15:29:02.659: SNMP: V1 Trap, ent enterprises.33333.1, addr 10.20.249.253, gentrap 6, spectrap 1
enterprises.33333.2.0 = 1234
enterprises.33333.3.0 = 60.199.50.34
Insights_Tech_DMVPN_RT2#

Joe Clarke · ‎03-25-2016

I assumed you also updated your EEM Tcl policy and reregistered it?

If so, try adding "direction incoming" to the event registration line so that incoming traps are processed.

rodrigo.magno · ‎04-01-2016

Hi, also didn't work. Here's the data:

deb event manager all
All possible Embedded Event Manager debugging has been turned on
bigd-dmvpn-rt2#
*Apr 1 13:12:26.630: SNMP: Packet received via UDP from 10.20.249.253 on Tunnel1
*Apr 1 13:12:26.630: SNMP: V1 Trap, ent enterprises.33333.1, addr 10.20.249.253, gentrap 6, spectrap 1
enterprises.33333.2.0 = 1234
enterprises.33333.3.0 = 60.199.50.34

sh event manager policy registered
No. Class Type Event Type Trap Time Registered Name
1 script user snmp_notification Off Fri Apr 1 12:31:57 2016 receive_nhrp_trap.tcl
oid {1.3.6.1.4.1.33333.2.0} oid-val {1234} op eq direction incoming
nice 0 queue-priority normal maxrun 20.000 scheduler rp_primary Secu none

______________________

more bootflash:receive_nhrp_trap.tcl
::cisco::eem::event_register_snmp_notification oid 1.3.6.1.4.1.33333.2.0 oid_val 1234 op eq direction incoming

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]
set acl_ip {}

if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
}
if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
error $_cli_result $errorInfo
}

if {$_cerrno !=0} {
set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" $_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
error $result
}

foreach snmp_item [array names arr_einfo 1_3_6_1_4_1_33333_3_0 ] {
if [catch {cli_exec $cli1(fd) "show access-list INBOUND | i $arr_einfo($snmp_item) "} _cli_result] {
error $_cli_result $errorInfo
}
set acl_data $_cli_result
foreach acl_line [split $acl_data "\n"] {
if [regexp {[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+} $acl_line acl_ip] {
lappend acl_ip $acl_ip }
}
if { $acl_ip == {}} {

Joe Clarke · ‎04-11-2016

I was finally able to test this locally, and it works for me. I registered this policy on a 1941 running 15.5(2)T1:

::cisco::eem::event_register_snmp_notification oid 1.3.6.1.4.1.33333.2.0 oid_val 1234 op eq direction incoming

namespace import ::cisco::eem::*
namespace import ::cisco::lib::*

array set arr_einfo [event_reqinfo]
set acl_ip {}

if [catch {cli_open} result] {
    error $result $errorInfo
} else {
    array set cli1 $result
}
if [catch {cli_exec $cli1(fd) "enable"} _cli_result] {
    error $_cli_result $errorInfo
}

if {$_cerrno !=0} {
    set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" $_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
    error $result
}

action_syslog msg "Executed policy successfully"

Then, I tested it using the net-snmp snmptrap command:

snmptrap -v 1 -c public pi-rsquared enterprises.33333.1 192.168.1.1 6 1 '' enterprises.33333.2.0 i 1234 enterprises.33333.3.0 a 60.199.50.34

And here's what I see:

Apr 11 12:49:23.261: SNMP: Packet received via UDP from 192.168.1.1 on Vlan1
Apr 11 12:49:23.261: SNMP: V1 Trap, ent enterprises.33333.1, addr 192.168.1.1, gentrap 6, spectrap 1
enterprises.33333.2.0 = 1234
enterprises.33333.3.0 = 60.199.50.34
Apr 11 12:49:23.269: dest ip addr= 192.168.1.39

Apr 11 12:49:23.269: dest if_index = 14

Apr 11 12:49:23.853: %HA_EM-6-LOG: sn_trap_test.tcl: Executed policy successfully

What you might be seeing is a bug with trap reception on Tunnel interfaces. Can you try sending the trap so that the device receives it on a non-tunnel interface?

rodrigo.magno · ‎04-12-2016

Ok, finally found the problem, it was really me. I had the community value wrong on the snmp trap I was sending. All is working now.

Thanks

Rodrigo