Solved: Re: Run TCL script on the router by executing TCL script on acce - Page 2

EvaldasOu · ‎02-27-2012

Hello !

There is an Access Server and other devices connected to it via reverse telnet (console cables from access server).

I want to execute TCL command on the Access Server that would run TCL script on the router.

I think the way to achieve this is a TCL script with a send command from the Access Server. The problem is to put that "send" command in the TCL script , because we need to press Ctrl+z at the end (when we want to execute that send command).

Is this possible?

EvaldasOu · ‎03-13-2012

Hello Joseph.

1. Really my device name (hostname ) is "AccessServer" . We have Cisco 2811 router and we are using it just for reverse telnet connection to the other devices.

Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3).

2. Yes there is a banner too wih login prompt, but just on 2811 router, not on the other devices.

banner login ^C

*********************************************************

banner text

*********************************************************

^C

3. Very short info from "debug event manager tcl cli" command :

AccessServer#debug event manager tcl cli

Debug EEM Tcl CLI library debugging is on

AccessServer#event manager run EEM.tcl

*Mar 13 07:16:34.172: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : CTL : cli_open called.error reading the first prompt: Process Forced Exit

while executing

"my_cli_open"

invoked from within

"$slave eval $Contents"

(procedure "eval_script" line 7)

invoked from within

"eval_script slave $scriptname"

invoked from within

"if {$security_level == 1} { #untrusted script

interp create -safe slave

interp share {} stdin slave

interp share {} stdout slave

..."

(file "tmpsys:/lib/tcl/base.tcl" line 50)

Tcl policy execute failed: error reading the first prompt: Process Forced Exit

Joe Clarke · ‎03-13-2012

What is the actual banner text?

EvaldasOu · ‎03-13-2012

AccessServer#sh run | b banner

banner login ^C

*********************************************************

* Unauthorized access to this system is forbidden. *

* By accessing this system, you agree that your actions *

* may be monitored if unauthorized usage is suspected. *

* *

*********************************************************

^C

That's it

Joe Clarke · ‎03-13-2012

I cannot reproduce. The policy works for me with your hostname and banner. Can you post the entire running config from this 2800?

EvaldasOu · ‎03-13-2012

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AccessServer

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$OMLP$Gm8p6NqUV/L1r3ja/0KQs1

!

aaa new-model

!

aaa authentication login default group tacacs+

aaa authentication login nologin none

aaa authorization commands 0 default group tacacs+

aaa authorization commands 1 default group tacacs+

aaa authorization commands 15 default group tacacs+

!

aaa session-id common

clock timezone GMT+2 2

clock summer-time GMT+2 recurring last Sun Mar 2:00 last Sun Oct 3:00

dot11 syslog

!

ip cef

!

no ip domain lookup

ip host R1 2066 192.168.83.51

ip host R2 2067 192.168.83.51

ip host R3 2068 192.168.83.51

ip host R4 2069 192.168.83.51

ip host R5 2081 192.168.83.51

ip host R_ISP1 2077 192.168.83.51

ip host R_FR 2079 192.168.83.51

ip host ASW1 2080 192.168.83.51

ip host ASW2 2076 192.168.83.51

ip host CSW1 2070 192.168.83.51

ip host CSW2 2071 192.168.83.51

ip host SW3 2072 192.168.83.51

ip host SW4 2073 192.168.83.51

ip host ASA 2074 192.168.83.51

ip host R6 2078 192.168.83.51

multilink bundle-name authenticated

!

voice-card 0

no dspfarm

!

archive

log config

logging enable

logging size 300

notify syslog contenttype plaintext

hidekeys

!

interface Loopback0

ip address 192.168.83.51 255.255.255.224

!

interface FastEthernet0/0

ip address X.X.X.X 255.255.255.128

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface Async1/0

no ip address

encapsulation slip

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 X.X.X.X

!

no ip http server

no ip http secure-server

!

menu switch title ^C

**********************************************************

Switch Lab Terminal Server

To exit from a device, use CTRL+SHIFT+6 then press x

**********************************************************

^C

menu switch text R1 Connect to R1 - 1841

menu switch command R1 telnet R5

menu switch text R2 Connect to R2 - 1841

menu switch command R2 telnet R6

menu switch text ASW1 Connect to ASW1 - 2950

menu switch command ASW1 telnet ASW1

menu switch text ASW2 Connect to ASW2 - 2960

menu switch command ASW2 telnet ASW2

menu switch text DSW1 Connect to DSW1 - 3750

menu switch command DSW1 telnet SW3

menu switch text DSW2 Connect to DSW2 - 3750

menu switch command DSW2 telnet SW4

menu switch text CSW1 Connect to CSW1 - 3750

menu switch command CSW1 telnet CSW1

menu switch text CSW2 Connect to CSW2 - 3750

menu switch command CSW2 telnet CSW2

menu switch text c clear the session by number ie: cDSW1

menu switch text q Quit terminal server session

menu switch command q exit

menu switch command e menu-exit

menu switch command cR1 cR5

menu switch command cR2 cR6

menu switch command cASW1 cASW1

menu switch command cASW2 cASW2

menu switch command cDSW1 cSW3

menu switch command cDSW2 cSW4

menu switch command cCSW1 cCSW1

menu switch command cCSW2 cCSW2

menu switch clear-screen

menu switch line-mode

!

tacacs-server host xxxxxx.xxxx.xxxx.xxxx

tacacs-server key 7 xxxxxx

!

control-plane

!

banner login ^C

*********************************************************

* Unauthorized access to this system is forbidden. *

* By accessing this system, you agree that your actions *

* may be monitored if unauthorized usage is suspected. *

* *

*********************************************************

^C

alias exec cSW3 clear line 72

alias exec cSW4 clear line 73

alias exec cR1 clear line 66

alias exec cR2 clear line 67

alias exec cR3 clear line 68

alias exec cR4 clear line 69

alias exec cR5 clear line 81

alias exec q logout

alias exec c conf t

alias exec cASA clear line 79

alias exec 1 menu switch

alias exec cASW1 clear line 80

alias exec cASW2 clear line 76

alias exec cR6 clear line 78

alias exec cCSW2 clear line 71

alias exec cCSW1 clear line 70

privilege exec level 0 connect

privilege exec level 0 telnet

privilege exec level 0 menu

privilege exec level 0 resume

privilege exec level 0 clear line

privilege exec level 0 clear

!

line con 0

line aux 0

line 1/0 1/31

session-timeout 2

exec-timeout 0 20

privilege level 15

logging synchronous

login authentication nologin

no exec

transport input telnet

transport output none

stopbits 1

flowcontrol hardware

line vty 0 4

exec-timeout 30 0

logging synchronous

autocommand menu switch

line vty 5 15

exec-timeout 30 0

logging synchronous

!

scheduler allocate 20000 1000

!

event manager directory user policy "flash:/"

event manager directory user library "flash:/"

event manager policy EEM.tcl

!

end

event manager directory user library "flash:/"
( I removed this command from the config now, but I get the same error anyway)

Joe Clarke · ‎03-13-2012

Ah, that's the problem! It's your menu. You need to remove the menu from at leats the first VTY line. For example, try this:

line vty 0

transport input none

no autocommand menu switch

EvaldasOu · ‎03-14-2012

Thank you Joseph for your time!

But there is a same problem for me I will try this EEM TCL script on 2511 router today, maybe results will be different...

Can show me, exactly which commands you put in there?:

array set cli [my_cli_open]

my_cli_exec $cli(fd) "enable"
cli_write $cli(fd) "send tty 11\r"
cli_read_pattern $cli(fd) "Enter message"
cli_write $cli(fd) "This is a test\r "
cli_read_pattern $cli(fd) "Send message"
my_cli_exec $cli(fd) "\r"
cli_close $cli(fd) $cli(tty_id)

Joe Clarke · ‎03-14-2012

You have to make sure line vty 0 is free. Once you make the config changes, clear the line to make sure it is free so EEM can occupy it.

If you are going to move the script, move the whole script. Don't extract individual pieces of code. Copy the whole no_send_msg.tcl script to your new router. Note: this script requires EEM 2.1 or higher so you're looking at 12.3(14)T or higher. I do not think you can run that on a 2511.

EvaldasOu · ‎03-14-2012

Hello. I think there is something wrong with a script that I try to execute:

AccessServer#sh line vty 0

Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

514 514 VTY - - - - - 0 0 0/0 -

Line 514, Location: "", Type: ""

Length: 24 lines, Width: 80 columns

Baud rate (TX/RX) is 9600/9600

Status: No Exit Banner

Capabilities: none

Modem state: Idle

Special Chars: Escape Hold Stop Start Disconnect Activation

^^x none - - none

Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch

00:30:00 never none not set

Idle Session Disconnect Warning

never

Login-sequence User Response

00:00:30

Autoselect Initial Wait

not set

Modem type is unknown.

Session limit is not set.

Time since activation: never

Editing is enabled.

History is enabled, history size is 20.

DNS resolution in show commands is enabled

Full user help is disabled

Allowed input transports are none.

Allowed output transports are pad telnet rlogin lapb-ta mop v120 ssh.

Preferred transport is telnet.

No output characters are padded

No special data dispatching characters

AccessServer#sh line

Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int

514 514 VTY - - - - - 0 0 0/0 -

* 515 515 VTY - - - - - 2 0 0/0 -

516 516 VTY - - - - - 0 0 0/0 -

517 517 VTY - - - - - 0 0 0/0 -

518 518 VTY - - - - - 0 0 0/0 -

AccessServer#sh users

Line User Host(s) Idle Location

*515 vty 1 cisco idle 00:00:00 X>X>X>X

Interface User Mode Idle Peer Address

AccessServer#sh run | b even

event manager directory user policy "flash:/"

event manager policy EEM.tcl

!

end

AccessServer(config)#no event manager policy EEM.tcl

AccessServer#delete flash:EEM.tcl

Delete filename [EEM.tcl]?

Delete flash:EEM.tcl? [confirm]

AccessServer#copy tftp://X>X>X>X/EEM.tcl flash:

Destination filename [EEM.tcl]?

Accessing tftp://X>X>X>X/EEM.tcl...

Loading EEM.tcl from X>X>X>X (via FastEthernet0/0): !

[OK - 4603 bytes]

AccessServer(config)#event manager policy EEM.tcl

AccessServer#event manager run EEM.tcl

Process Forced Exit

while executing

"continue"

(procedure "cli_read_pattern" line 12)

invoked from within

"cli_read_pattern $cli(fd) "Enter message""

invoked from within

"$slave eval $Contents"

(procedure "eval_script" line 7)

invoked from within

"eval_script slave $scriptname"

invoked from within

"if {$security_level == 1} { #untrusted script

interp create -safe slave

interp share {} stdin slave

interp share {} stdout slave

..."

(file "tmpsys:/lib/tcl/base.tcl" line 50)

Tcl policy execute failed: Process Forced Exit

End of Your EEM TCL script (edted by me) looks like this:

array set cli [my_cli_open]

my_cli_exec $cli(fd) "enable"

cli_write $cli(fd) "send tty 70\r"

cli_read_pattern $cli(fd) "Enter message" ( is this row ok? )

cli_write $cli(fd) "show cdp nei\r " ( is this row ok? )

cli_read_pattern $cli(fd) "Send message" ( is this row ok? )

my_cli_exec $cli(fd) "\r"

cli_close $cli(fd) $cli(tty_id)

(because I tried to change these rows, but changes was unsuccessful )

Joe Clarke · ‎03-14-2012

Post the output of "debug event manager tcl cli". After entering "send tty 70" the required prompt cannot be matched. This could mean there is an error with the command.

EvaldasOu · ‎03-14-2012

AccessServer#event manager run EEM.tcl

*Mar 14 17:42:22.775: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : CTL : cli_open called.

*Mar 14 17:42:22.927: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : AccessServer>

*Mar 14 17:42:22.927: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : IN : AccessServer>enable

*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : The command 'enable ' is not authorized for user and client X.X.X.X

*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT :

*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : AccessServer>

Process Forced Exit3: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : IN : AccessServer>send tty 70

while executing

"continue"

(procedure "cli_read_pattern" line 12)

invoked from within

"cli_read_pattern $cli(fd) "Enter message""

invoked from within

"$slave eval $Contents"

(procedure "eval_script" line 7)

invoked from within

"eval_script slave $scriptname"

invoked from within

"if {$security_level == 1} { #untrusted script

interp create -safe slave

interp share {} stdin slave

interp share {} stdout slave

..."

(file "tmpsys:/lib/tcl/base.tcl" line 50)

Tcl policy execute failed: Process Forced Exit

_

Need I login first ?

I'm using TACACS+ server , I need to login properly to the AccessServer first? I'm using "cisco/cisco" for TACACS+ authentication, and "cisco" as enable secret.

Joe Clarke · ‎03-14-2012

EEM doesn't do authentication. It only does authorization. Try configuring:

event manager session cli username cisco

Then see if the policy runs.

EvaldasOu · ‎03-14-2012

OMG! OMG! OMG! It works now! I can't thank you enough dear Joseph!

You help me so much!!!

EvaldasOu · ‎03-17-2012

Hello Joseph and all the community!

I don't know it is better to create new discussion or ask there, because a question is related with this topic.

As you helped me to send commands via TTY lines , is it possible to send some commands via SSH ?

Login to the specific device and enter some commands automatically?

Joe Clarke · ‎03-17-2012

This can only work on very new IOS due to bug CSCtc92280 (i.e., it will only work on 15.1(4)T and higher).

Run TCL script on the router by executing TCL script on access server