10-04-2010 07:58 AM
Hi everybody,
i´m not able to configure this line
event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1 get-type exact entry-op ge entry-val 85 exit-op le exit-val 65 poll-interval 60
as trigger event for shutting down various features regarding CPU spikes.
I was trying to configure this on my C3845, c3845-advsecurityk9-mz.124-24.T2.
This does make sense, because:
vpn-event3845(config-applet)#event ?
application Application specific event
cli CLI event
config Configuration policy event
counter Counter event
env Environmental event
interface Interface event
ioswdsysmon IOS WDSysMon event
ipsla IPSLA Event
nf NF Event
none Manually run policy event
oir OIR event
resource Resource event
rf Redundancy Facility event
routing Routing event
rpc Remote Procedure Call event
syslog Syslog event
tag event tag identifier
timer Timer event
track Tracking object event
As i could obviously see, this isn´t possible. On this platform? On this IOS? Changing both of them is not an option.
How can i monitor an SNMP OID in the given environment?
SNMP itself is enabled and works like a charm, since i can graph my router using MRTG, even the different protocols getting them with NBAR...i can get this OID with SNMPget too, i do this within my MRTG installation once a minute.
Thanks in advance,
Andreas
Solved! Go to Solution.
10-04-2010 08:43 AM
This is known bug CSCtj01916. The problem only affects the advsecurityk9 images for ISRs. If you move to a different feature set, you will have EEM with SNMP.
10-04-2010 08:43 AM
This is known bug CSCtj01916. The problem only affects the advsecurityk9 images for ISRs. If you move to a different feature set, you will have EEM with SNMP.
10-04-2010 08:46 AM
Nice find! That makes much more sense as I could find nothing in EEM documentation that mentioned SNMP Manager functionality as a requirement. It just didn't make a lot of sense that the command wasn't there.
10-04-2010 08:57 AM
The SNMP proxy sub-system, which is responsible for SNMP Manager and the EEM SNMP polling code, is missing in these advsecurityk9 images.
10-05-2010 12:19 AM
Hi Joe,
thank you for your fast response. OK, so i think i´ll give another IOS a try, since i desperately need this feature in this special environment.
Best regards,
Andreas
10-05-2010 07:56 AM
OK, i tried SPSERVICES...worked fine, related to my first problem...but:
I´m not able to use VPNs with this featureset.
I´ll have to use this configuration snippet for VPN:
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
lifetime 7200
crypto isakmp key MYKEYISCOMPLICATED address 1.2.3.4
crypto isakmp keepalive 120
!
!
crypto ipsec transform-set MYPOLICY esp-aes
mode transport require
!
crypto map cryptomap1 1 ipsec-isakmp
description VPN 1
set peer 1.2.3.4
set security-association lifetime seconds 1800
set transform-set MYPOLICY
match address 180
crypto map cryptomap1 2 ipsec-isakmp
description VPN 2
set peer 3.4.5.6
set security-association lifetime seconds 1800
set transform-set MYPOLICY
match address 190
And i need a little piece of OSPF, not very complicated.
My router has 256R/64F.
Any suggestions for a working featureset with the already described SNMP/EEM-functionality _and_ VPN/OSPF?
I´m stuck right now. Seems to me i can´t have all the needed features at the same time with the given hardware.
10-05-2010 08:05 AM
IP Advanced Services should have all of the above, but I don't know if it is the least common denominator. That is, IP Advanced Services has everything, so it could be overkill.
10-05-2010 08:45 AM
OK, thanks for the suggestion,
I tried, and it seems to work at a first glance. I can check the VPN-connectivity tomorrow, also the functionality of my EEM script.
But i WAS able to configure it. I´ll report it here after my checks.
Thanks!
BTW:
I had to use c3845-advipservicesk9-mz.124-25d.bin, since the T-version was too big for my flash(only 64 megs). But it´s an MD, so if all is working it will be fine for me too.
10-05-2010 04:14 PM
There is a substantial difference in EEM between 12.4 mainline and 12.4(24)T. The former has EEM 2.1 while the latter has 3.0. If you need sophisticated programmatic applets (e.g. applets with loops, conditionals, show command parsing, etc.), those will not be possible in EEM 2.1. You will have to resort to Tcl to acommplish that level of automation.
10-06-2010 03:47 AM
I tested if all is working, and yes, the EEM script does its job. It´s a real basic script, nothing exiting:
event manager applet CALMDOWN
event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1 get-type exact entry-op ge entry-val 85 exit-op le exit-val 65 poll-interval 60
action 100 syslog priority notifications msg "Disabling CPU-intensive features due to CPU-load/1min around 85%"
action 200 cli command "enable"
action 300 cli command "config t"
action 400 cli command "interface GigabitEthernet0/0"
action 405 cli command "no ip nbar protocol-discovery"
action 410 cli command "no service-policy input polINTERNET-IN"
action 415 cli command "no service-policy output polINTERNET-OUT"
action 500 cli command "interface GigabitEthernet0/1"
action 505 cli command "no ip nbar protocol-discovery"
action 510 cli command "no ip accounting output-packets"
action 515 cli command "no service-policy input polLAN-IN"
action 600 cli command "end"
action 700 syslog priority notifications msg "Disabling done..."
event manager applet GETBUSY
event snmp oid 1.3.6.1.4.1.9.9.109.1.1.1.1.4.1 get-type exact entry-op le entry-val 65 exit-op ge exit-val 85 poll-interval 60
action 100 syslog priority notifications msg "Re-enabling CPU-intensive features due to relief in CPU-load/1min below 65%"
action 200 cli command "enable"
action 300 cli command "config t"
action 400 cli command "interface GigabitEthernet0/0"
action 405 cli command "ip nbar protocol-discovery"
action 410 cli command "service-policy input polINTERNET-IN"
action 415 cli command "service-policy output polINTERNET-OUT"
action 500 cli command "interface GigabitEthernet0/1"
action 505 cli command "ip nbar protocol-discovery"
action 510 cli command "ip accounting output-packets"
action 515 cli command "service-policy input polLAN-IN"
action 600 cli command "end"
action 700 syslog priority notifications msg "Re-enabling done..."
And it works, as i have seen this morning. I had several iperf-sessions to raise the load, and stopped them after a while. So all behaves as expected.
Thanks to everybody who has contributed in this case, you were a great help!
10-04-2010 08:43 AM
I believe the problem is with the Advanced Security feature set you are running. I just checked my router running the 12.4T train and IP Advanced Services and the command appears.
Looking at the difference in features between Advanced Security and IP Advanced Services in regard to EEM features, but there are some differences in SNMP support. Specifically, the SNMP Manager function adds the ability to monitor OIDs, etc. It could be that EEM is using this feature to accomplish the SNMP poll.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: