Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Modify EEM for vpn_failure.tcl

I'm trying to use the vpn failure tcl script that was written/contributed by :  David Lin.

I am trying to modify this so that I can get my ivrf information per peer. We have multiple instances being a multi-tennant data center this being on our hub for DMVPN and P2P vpn's. I want to know what ivrf is associated to the peer address. The only way I could think to do this was grab the information from using the "show cry session remote $remote_peer detail" Not being a script knowledgable person I am attempting to learn it but in the same part need to accomplish this for work which equals a lot of stumbling. Call me a tool or a noob my tcl-foo is weak sauce.

Below is the section I modified including the regexp line that David used to get the info from the syslog to set the $remote_peer value.

set syslog_msg $arr_einfo(msg)

#-----------------  End of fetch the syslog message that caused the event to trigger ----------

#-------  Extract Peer ID from syslog message and use for 'show ip route' command later -------

# Example syslog output : %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer 10.10.10.1:500       Id: 10.10.10.1

# We only care about the value after the word "Peer:" which is 10.10.10.1 in the above example.  Keep this value

# stored in variable 'remote_peer'

regexp {.*%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.*Peer ([0-9].*\.[0-9].*\.[0-9].*\.[0-9].*):[0-9].*} $syslog_msg match remote_peer

#puts "Peer ID is $remote_peer"

#action_syslog msg "Peer ID is $remote_peer"  

#----------------------- "Get VRF from Peer" ----------------

#

  if [catch {cli_exec $cli(fd) "enable"} result] {

    error $result $errorInfo

  }

  if [catch {cli_exec $cli(fd) "show cry session remote $remote_peer detail"} result] {

    error $result $errorInfo

  }

  set show_cry_session_remote_peer $result

  regexp {*%Public *ivrf: ([A-Za-z0-9] *)} $show_cry_session_remote_peer match vrf_instance

#Gets ivrf from session details. Puts "ivrf as $vrf_instance"


*****************************************************************************************

What a show cry session remote detail looks like in case it is needed. Note I did change the name of the ivrf and the ip addresses so the customer information is not real just the output layout is real. Also the IPSEC FLOW information can be larger depending on configuration.

show crypto session remote 12.95.136.1 detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation    

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/0/0

Profile: Meritor-WABCO_Isakmp_Profile

Uptime: 2w4d

Session status: UP-ACTIVE    

Peer: 12.95.136.1 port 500 fvrf: Public ivrf: CompanyXyZ123

      Phase1_id: 12.95.136.1

      Desc: (none)

  IKEv1 SA: local 205.88.142.10/500 remote 12.96.136.2/500 Active

          Capabilities:(none) connid:41197 lifetime:21:36:31

  IPSEC FLOW: permit ip host 10.80.153.20 host 10.53.0.240

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 1974 drop 0 life (KB/Sec) 4607980/3039

        Outbound: #pkts enc'ed 1395 drop 0 life (KB/Sec) 4607822/3039

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Modify EEM for vpn_failure.tcl

You can't begin a regular expression with a '*'.  The '*' character means zero or more of the previous character.   What you want is likely:

regexp {Public ivrf: ([A-Za-z0-9]+)} $show_cry_session_remote_peer match vrf_instance

3 REPLIES
New Member

Modify EEM for vpn_failure.tcl

So I forgot to state my actual problem. I think I have messed up the regexp that I attempted to make. When I force a testable vpn down this is what I see in the logs. Which states where the issue is I just don't understand what the issue is being the non-scripting fool that I am.

Jul 26 12:56:47.601: %HA_EM-6-LOG: vpn_failure.tcl: couldn't compile regular expression pattern: quantifier operand invalid

Jul 26 12:56:47.601: %HA_EM-6-LOG: vpn_failure.tcl:     while executing

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl: "regexp {*%Public *ivrf: ([A-Za-z0-9] *)} $show_cry_session_remote_peer match vrf_instance "

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl: "$slave eval $Contents"

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl:     (procedure "eval_script" line 7)

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl: "eval_script slave $scriptname"

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl: "if {$security_level == 1} {       #untrusted script

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl:      interp create -safe slave

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdin slave

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdout slave

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl: ..."

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl: Tcl policy execute failed:

Jul 26 12:56:47.602: %HA_EM-6-LOG: vpn_failure.tcl: couldn't compile regular expression pattern: quantifier operand invalid

Cisco Employee

Modify EEM for vpn_failure.tcl

You can't begin a regular expression with a '*'.  The '*' character means zero or more of the previous character.   What you want is likely:

regexp {Public ivrf: ([A-Za-z0-9]+)} $show_cry_session_remote_peer match vrf_instance

New Member

Modify EEM for vpn_failure.tcl

Thanks.

443
Views
0
Helpful
3
Replies