Re: EEM applet to track VPN tunnel

jorgeramos78 · ‎06-28-2012

I am working on an EEM applet on IOS is 15.2(1)T to reload a router when a VPN tunnel is down for 10 minutes, but I need it to cancel the reload when the VPN tunnel is back up. What I would like to do is to create one applet that does the following:

event manager applet VPN-Status

event track 1 state any

action 1.0 if the status is Down schedule a reload in 10 minutes

...

action 2.0 if the status is Up cancel the reload

Here is what I have configured (obviously it doesn't do what I need)

track 1 ip sla 11 reachability

delay down 5 up 10

!

ip sla 11

icmp-echo 192.168.0.1 source-ip 172.16.0.1

ip sla schedule 11 life forever start-time now

!

event manager applet VPN-Down

event track 1 state down

action 1.0 wait 600

action 1.1 syslog msg "The VPN tunnel has been down for 10 minutes."

action 2.0 reload

event manager applet VPN-Up

event track 1 state up

action 1.0 syslog msg "The VPN tunnel is up"

action 1.1 cli command "enable"

action 1.2 cli command "reload cancel"

Joe Clarke · ‎06-28-2012

What you want should not be done in one applet. Use two:

event manager applet tunnel-down

event track 1 state any

action 001 if $_track_state eq "down"

action 002 cli command "enable"

action 003 cli command "config t"

action 004 cli command "event manager applet vpn-timer"

action 005 cli command "event timer countdown time 600"

action 006 cli command "action 1.0 reload"

action 007 cli command "end"

action 008 else

action 009 cli command "enable"

action 010 cli command "config t"

action 011 cli command "no event manager applet vpn-timer"

action 012 cli command "end"

action 013 end

jorgeramos78 · ‎06-29-2012

Thanks for your input Joseph, but I actually got my applets to work about 5 minutes after posting this. I decide to leave it up in case someone else may find it useful. Here are the relevant parts of my config (obviously excluding the VPN stuff):

track 1 ip sla 10 reachability

delay down 5 up 10

!

ip sla 10

icmp-echo 192.168.0.1 source-ip 172.16.0.1

frequency 300

ip sla schedule 10 life forever start-time now

!

event manager applet VPN-Down

event track 1 state down

action 1.0 syslog msg "The VPN is down"

action 1.1 cli command "enable"

action 1.2 cli command "reload in 15" pattern "confirm"

action 1.3 cli command ""

action 1.4 syslog msg "EEM scheduled reload in 15 minutes"

event manager applet VPN-Up

event track 1 state up

action 1.0 syslog msg "The VPN is up"

action 1.1 cli command "enable"

action 1.2 cli command "reload cancel"

Here is the breakdown:

1. The ip sla 10 is set to ping 192.168.0.1 from 172.16.0.1 every 300 seconds (5 minutes).

2. If an echo reply is not received in 5 seconds (delay down 5) the router will change the state of the sla to Down; the following will be displayed on screen:

%TRACKING-5-STATE: 1 ip sla 10 reachability Up->Down

3. This state change to Down triggers the VPN-Down applet which displays "The VPN is down" on the screen and schedules a reload in 15 minutes.

4. If at any point before the scheduled reload the sla state changes to Up, the VPN-Up applet is triggered (which cancels the scheduled reload).

4a. When the state of the sla changes to Up, the following will be displayed on screen:

%TRACKING-5-STATE: 1 ip sla 10 reachability Down->Up

Boo · ‎05-04-2017

Even though I am 5 years late, I'll still suggest that you shouldn't restart your router as soon as your VPN is down. Firstly, ping any IP such as 8.8.8.8 to ensure your router has internet and then ping 192.168.0.1 source-ip 172.16.0.1

If internet is working, but if the VPN is down. Then restart.

alfagnish · ‎07-20-2012

Are this configuration avaliable to Cisco ASA? I'm trying to monitor when my VPN's are down or "locked", and maybe this applet will be usefull.

Regards,

Leomar.

Joe Clarke · ‎07-20-2012

No, unfortunately EEM is not available on the ASA.