05-16-2016 07:54 AM
I have created script tied to IP SLA. If IP SLA is breached we want the script to run and shutdown bgp peer and send syslog message out and then send email out. I get alert for the IP SLA breached but nothing else happens so screwed up the script some how. This is the first time using EEM scripting so any help would be great. Since we have never used EEM scripting at this location the version we would be using is default version that shipped with ISR 4451 back in 2015. I don't know if that matters.
Thanks
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/0/1
threshold 2
frequency 5
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
track 1 ip sla 1 reachability
event manager environment EMAIL PROVIDER INTERNET ISSUE
event manager environment _email_server 10.1.1.3
event manager environment _email_to xxxxx@xxxxx.com
event manager environment _email_from clinetarouter@xxxxx.com
event manager applet BGP_NEIGHBOR_DOWN
description SHUTDWON BGP PEERING IF THERE IS PROVIDER ISSUE
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "router bgp 10125"
action 1.3 cli command "neighbor x.x.x.x shutdown"
action 1.4 cli command "end"
action 1.5 syslog msg "PROVIDER NETWORK ISSUE DETECTED, BGP PEERING SHUTDOWN"
event manager applet EMAIL_BGP_PEER_DOWN
description EMAIL BGP PEER DOWN
event track 1 state down
action 1.1 mail server "$_email_server" to "$_email_t" from "$_email_from" subject "Provider issue: PING FAILED" body "Ping to Google Failed"
action 1.2 syslog msg "EMAIL SENT TO $_email_to"
!
Solved! Go to Solution.
05-17-2016 08:57 AM
Then either configure:
event manager session cli username USER
Where USER is a user authorized to run all CLI commands in your EEM policies. Or add "auth bypass" to the end of each applet's config.
05-16-2016 03:30 PM
You're missing:
track 1 ip sla 1 reachability
05-17-2016 06:22 AM
Joe,
Thanks for your reply I do have that command in the config i just did not get it pasted into the discussion because it was further down in the running config and I missed it.
05-17-2016 08:41 AM
When the reachability to 8.8.8.8 goes away, what does show track and show ip sla stat looking like?
05-17-2016 08:45 AM
Joe,
I get the Syslog message stating ip sla breach. I don't get any time to TS the issues once it does not work i have to back out immediately not to breach our customer SLA agreements.
05-17-2016 08:47 AM
If you look at "show event manager history events" do you see instances of your policies? Do you have AAA command authorization configured?
05-17-2016 08:51 AM
Joe,
Well this is interesting:
No. Job Id Proc Status Time of Event Event Type Name
1 1 Actv success Sat May14 11:48:31 2016 track applet: EMA IL_BGP_PEER_DOWN
2 2 Actv success Sat May14 11:48:31 2016 track applet: BGP
It was not successful so I dont know what it was successful at
05-17-2016 08:52 AM
I had a feeling you'd see this. Do you have AAA command authz on this device?
05-17-2016 08:54 AM
yes
aaa new-model
aaa local authentication attempts max-fail 3
!
!
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common
05-17-2016 08:57 AM
Then either configure:
event manager session cli username USER
Where USER is a user authorized to run all CLI commands in your EEM policies. Or add "auth bypass" to the end of each applet's config.
05-17-2016 08:58 AM
Joe,
Thanks for the information one question do I have to configure the password for the user or just the Username?
Thanks
05-17-2016 09:00 AM
No password is needed. EEM doesn't do authn. It assumes it because an authenticated user configured the policy. It only does authz.
05-17-2016 09:02 AM
Great I will add this to it. Thanks for the help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide