Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2326
Views
0
Helpful
2
Replies

EEM to clear cry session(s)

GSCiscoSP
Level 1
Level 1

‎07-02-2013 08:48 AM

Background: We have two DataCenters and our remote offices build cry tunnels to each.  There is also a direct link between the two DC's and the remote offices use weighted routing to "failover per say" in the event their connection to one DC goes down.  Each DC can reroute the destination traffic over the direct link to the other DC.

First Attempt:We created two ip sla's and upon detecting either restored, we did a "clear cry sesion" to clear both tunnels and let the various networks refresh their routes...

Issue: Having multiple networks (where normally nw A,B route to DC1 and nw C routes to DC2), sometimes we see very brief outages and nw A&B will end up with spilt routing with nw A going to DC1 and nw B still going to DC2 although the tunnel to DC1 recovered.

Goal: We're thinking just clearing the tunnel that bounce vs both would work better and trying the following and it's not restoring the individual tunnel.

ip sla 9

icmp-echo [DC1-ipaddress] source-interface Serial0/0/0

frequency 10

ip sla 10

icmp-echo [DC2-ipaddress] source-interface Serial0/0/0

frequency 10

event manager applet DC1

event track 9 state up maxrun 10

action 1.0 syslog msg "DC1 primary peer came back online, clearing crypto tunnel"

action 2.0 cli command "enable"

action 3.0 cli command "clear crypto remote peer [DC1-ipaddress]"

event manager applet DC2

event track 10 state up maxrun 10

action 1.0 syslog msg "DC2 primary peer came back online, clearing crypto tunnel"

action 2.0 cli command "enable"

action 3.0 cli command "clear crypto remote peer [DC2-ipaddress]"

Question:  Does anyone know a command or sequence that would work.  unfortunatley since tunnels build ramdomly we never know which conn-id is which location and cannot use the "clear cry is ####" command

Labels:
0 Helpful
2 Replies 2

Joe Clarke
Cisco Employee
Cisco Employee

‎07-02-2013 09:07 AM

Are you asking for IPSec commands that will achieve what you want or are you asking for how EEM can be used to automate a known process?  If the former, you will have better luck on one of the security communities.  If the latter, explain the steps you would use to manually go through the process to determine which tunnel needs to be bounced and how you know it's bouncing.

0 Helpful

GSCiscoSP
Level 1
Level 1
In response to Joe Clarke

‎07-02-2013 11:45 AM

I resolved the issue, turns out I just need to add another line to  clear tunnels to both DC's in order for routing to restore to normal.

event manager applet DC1

event track 9 state up maxrun 10

action 1.0 syslog msg "DC1 primary peer came back online, clearing crypto tunnel"

action 2.0 cli command "enable"

action 3.0 cli command "clear crypto remote peer [DC1-ipaddress]"

action 4.0 cli command "clear crypto remote peer [DC2-ipaddress]"

event manager applet DC2

event track 10 state up maxrun 10

action 1.0 syslog msg "DC2 primary peer came back online, clearing crypto tunnel"

action 2.0 cli command "enable"

action 3.0 cli command "clear crypto remote peer [DC2-ipaddress]"

action 4.0 cli command "clear crypto remote peer [DC1-ipaddress]"

So for reference to others, the "event track #"  coresponds to the ip sla #, so when a site drops and returns to the  "state up" it executes the actions commands.  Since routing will fail to  the other DC, you have to clear it's tunnel to force traffic to try  routing back to normal and rebuild your tunnel.

Clearing each peer individually works much faster then "clear cry sess" especially if your have other tunnels..

:-)

0 Helpful
Customers Also Viewed These Support Documents