Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Run TCL script on the router by executing TCL script on access server

Hello !

There is an Access Server and other devices connected to it via reverse telnet (console cables from access server).

I want to execute TCL command on the Access Server  that would run TCL script on the router.

I think the way to achieve this is a TCL script with a send command from the Access Server. The problem is to put that  "send" command in the TCL script , because we need to press Ctrl+z at the end (when we want to execute that send command).

Is this possible?

4 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

The error must have changed if you have properly registered the new script.  The function "cli_open" is no longer used.  However, there was a typo related to the Control+Z.  This new script fixes that.

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

Ah, that's the problem!  It's your menu.  You need to remove the menu from at leats the first VTY line.  For example, try this:

line vty 0

transport input none

no autocommand menu switch

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

EEM doesn't do authentication.  It only does authorization.  Try configuring:

event manager session cli username cisco

Then see if the policy runs.

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

You need to be enabled to run "event manager run".  Your menu is at privilege 0, so it cannot run.

43 REPLIES
Cisco Employee

Run TCL script on the router by executing TCL script on access s

I don't quite understand what you want to do.  The send EXEC command will not send a remote command on a TTY line.  It sends a message (i.e., data as opposed to code).  Is that what you want to do, or do you want to execute a command on a device connected to the comm server?

New Member

Run TCL script on the router by executing TCL script on access s

I tested this on AccessServer and Switch:

On switch there is tcl script saved into his flash memory:

tclsh

puts [open "flash:default-config.tcl" w+] {

typeahead "\r"

ios_config “hostname TCLRouter”

}

On access server :

AS_2511#send tty 11

Enter message, end with CTRL/Z; abort with CTRL/C:

tclsh default-config.tcl

^Z

Send message? [confirm]

AS_2511#

And on Switch we can see:

Rack1SW1#tclsh default-config.tcl

TCLRouter#

TCLRouter#

So I want to know, how to write tcl script for the send command. I want  to  put these AccessServer commands into TCL script, and run it without   typing "send" command ( I want to use just "alias shortcut" to run this script from the AccessServer )

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

Ah, I get it now.  You want to send data across a no-exec line to be interpreted on an async-connected device.  This is doable, but not with tclsh.  You can use EEM Tcl to do this.

Here is a rough EEM Tcl policy that will send the message:

::cisco::eem::event_register_none

namespace import ::cisco::eem::*

namespace import ::cisco::lib::*

array set cli [cli_open]

cli_exec $cli(fd) "enable"

cli_write $cli(fd) "send tty 11\r"

cli_read_pattern $cli(fd) "Enter message"

cli_write $cli(fd) "This is a test\r^Z"

cli_read_pattern $cli(fd) "Send message"

cli_exec $cli(fd) "\r"

cli_close $cli(fd) $cli(tty_id)

That ^Z at the end is produced by doing Control+V then Control+Z.

New Member

Run TCL script on the router by executing TCL script on access s

Thank you Joseph

Trying to implement this...

I'm not so familar with EEM Tcl :} But I hope I can solve this somehow ...

Cisco Employee

Run TCL script on the router by executing TCL script on access s

Save this file as no_send_msg.tcl and copy it to flash.  Configure the following:

event manager directory user policy flash:

event manager policy no_send_msg.tcl

Then, from EXEC mode, run:

event manager run no_send_msg.tcl

New Member

Run TCL script on the router by executing TCL script on access s

Thank you Joseph for the information.

I got an error after using all the commands.

AccessServer#copy tftp://172.16.83.55/EEM.tcl flash:

AccessServer(config)#event manager directory user policy flash:

AccessServer(config)#event manager policy EEM.tcl

AccessServer#event manager run EEM.tcl

error reading the first prompt: Process Forced Exit

    while executing

"cli_open"

    invoked from within

"$slave eval $Contents"

    (procedure "eval_script" line 7)

    invoked from within

"eval_script slave $scriptname"

    invoked from within

"if {$security_level == 1} {       #untrusted script

     interp create -safe slave

     interp share {} stdin slave

     interp share {} stdout slave

..."

    (file "tmpsys:/lib/tcl/base.tcl" line 50)

Tcl policy execute failed: error reading the first prompt: Process Forced Exit

Tcl policy execute failed: error reading the first prompt: Process Forced Exit

Maybe I need to delete that base.tcl script from my Router?

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

Use this script instead.

New Member

Re: Run TCL script on the router by executing TCL script on acce

With the script above I got exactly same error as without using it.

I just edited EEM.tcl file and uploaded that script to the AccessServer. Did I miss something?

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

You need to reregister the script to incorporate the changes:

no event manager policy no_send_msg.tcl

event manager policy no_send_msg.tcl

New Member

Re: Run TCL script on the router by executing TCL script on acce

Thank you Joseph, but I got the same error again, ( I reregister policy and directory ) IOS thinks that this is an untrusted script?

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

The error must have changed if you have properly registered the new script.  The function "cli_open" is no longer used.  However, there was a typo related to the Control+Z.  This new script fixes that.

New Member

Re: Run TCL script on the router by executing TCL script on acce

There is an error:

AccessServer#event manager run EEM.tcl

error reading the first prompt: Process Forced Exit

    while executing

"my_cli_open"

    invoked from within

"$slave eval $Contents"

    (procedure "eval_script" line 7)

    invoked from within

"eval_script slave $scriptname"

    invoked from within

"if {$security_level == 1} {       #untrusted script

     interp create -safe slave

     interp share {} stdin slave

     interp share {} stdout slave

..."

    (file "tmpsys:/lib/tcl/base.tcl" line 50)

Tcl policy execute failed: error reading the first prompt: Process Forced Exit

Tcl policy execute failed: error reading the first prompt: Process Forced Exit

As you mentioned before, not with "cli_open" but now with "my_cli_open" :/

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

Hmmm, I take it your prompt is not "AccessServer".  What is your actual device prompt?  What is the full hostname of the router (i.e., what is the argument to the "hostname" command)?

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

Also, do you have a banner configured?  Can you provide the output seen when you enable "debug event manager tcl cli" then trigger your policy?

New Member

Run TCL script on the router by executing TCL script on access s

Hello Joseph.

1. Really my device name (hostname ) is "AccessServer" . We have Cisco 2811 router and we are using it just for reverse telnet connection to the other devices.

Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3).

2. Yes there is a banner too wih login prompt, but just on 2811 router, not on the other devices.

banner login ^C

*********************************************************

banner text

*********************************************************

^C

3. Very short info from "debug event manager tcl cli" command :

AccessServer#debug event manager tcl cli

Debug EEM Tcl CLI library debugging is on

AccessServer#event manager run EEM.tcl

*Mar 13 07:16:34.172: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : CTL : cli_open called.error reading the first prompt: Process Forced Exit

    while executing

"my_cli_open"

    invoked from within

"$slave eval $Contents"

    (procedure "eval_script" line 7)

    invoked from within

"eval_script slave $scriptname"

    invoked from within

"if {$security_level == 1} {       #untrusted script

     interp create -safe slave

     interp share {} stdin slave

     interp share {} stdout slave

..."

    (file "tmpsys:/lib/tcl/base.tcl" line 50)

Tcl policy execute failed: error reading the first prompt: Process Forced Exit

Tcl policy execute failed: error reading the first prompt: Process Forced Exit

Cisco Employee

Run TCL script on the router by executing TCL script on access s

What is the actual banner text?

New Member

Run TCL script on the router by executing TCL script on access s

AccessServer#sh run | b banner

banner login ^C

*********************************************************

* Unauthorized access to this system is forbidden.      *

* By accessing this system, you agree that your actions *

* may be monitored if unauthorized usage is suspected.  *

*                                                       *

*********************************************************

^C

That's it

Cisco Employee

Run TCL script on the router by executing TCL script on access s

I cannot reproduce.  The policy works for me with your hostname and banner.  Can you post the entire running config from this 2800?

New Member

Re: Run TCL script on the router by executing TCL script on acce

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AccessServer

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$OMLP$Gm8p6NqUV/L1r3ja/0KQs1

!

aaa new-model

!

!

aaa authentication login default group tacacs+

aaa authentication login nologin none

aaa authorization commands 0 default group tacacs+

aaa authorization commands 1 default group tacacs+

aaa authorization commands 15 default group tacacs+

!

!

aaa session-id common

clock timezone GMT+2 2

clock summer-time GMT+2 recurring last Sun Mar 2:00 last Sun Oct 3:00

dot11 syslog

!

!

ip cef

!

!

no ip domain lookup

ip host R1 2066 192.168.83.51

ip host R2 2067 192.168.83.51

ip host R3 2068 192.168.83.51

ip host R4 2069 192.168.83.51

ip host R5 2081 192.168.83.51

ip host R_ISP1 2077 192.168.83.51

ip host R_FR 2079 192.168.83.51

ip host ASW1 2080 192.168.83.51

ip host ASW2 2076 192.168.83.51

ip host CSW1 2070 192.168.83.51

ip host CSW2 2071 192.168.83.51

ip host SW3 2072 192.168.83.51

ip host SW4 2073 192.168.83.51

ip host ASA 2074 192.168.83.51

ip host R6 2078 192.168.83.51

multilink bundle-name authenticated

!

!

voice-card 0

no dspfarm

!

!

!

archive

log config

  logging enable

  logging size 300

  notify syslog contenttype plaintext

  hidekeys

!

!

!

!

!

!

interface Loopback0

ip address 192.168.83.51 255.255.255.224

!

interface FastEthernet0/0

ip address X.X.X.X 255.255.255.128

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface Async1/0

no ip address

encapsulation slip

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 X.X.X.X

!

!

no ip http server

no ip http secure-server

!

!

menu switch title ^C

**********************************************************

               Switch Lab Terminal Server

To exit from a device, use CTRL+SHIFT+6 then press x

**********************************************************

^C

menu switch text R1 Connect to R1 - 1841

menu switch command R1 telnet R5

menu switch text R2 Connect to R2 - 1841

menu switch command R2 telnet R6

menu switch text ASW1 Connect to ASW1 - 2950

menu switch command ASW1 telnet ASW1

menu switch text ASW2 Connect to ASW2 - 2960

menu switch command ASW2 telnet ASW2

menu switch text DSW1 Connect to DSW1 - 3750

menu switch command DSW1 telnet SW3

menu switch text DSW2 Connect to DSW2 - 3750

menu switch command DSW2 telnet SW4

menu switch text CSW1 Connect to CSW1 - 3750

menu switch command CSW1 telnet CSW1

menu switch text CSW2 Connect to CSW2 - 3750

menu switch command CSW2 telnet CSW2

menu switch text c clear the session by number ie: cDSW1

menu switch text q Quit terminal server session

menu switch command q exit

menu switch command e menu-exit

menu switch command cR1 cR5

menu switch command cR2 cR6

menu switch command cASW1 cASW1

menu switch command cASW2 cASW2

menu switch command cDSW1 cSW3

menu switch command cDSW2 cSW4

menu switch command cCSW1 cCSW1

menu switch command cCSW2 cCSW2

menu switch clear-screen

menu switch line-mode

!

!

tacacs-server host xxxxxx.xxxx.xxxx.xxxx

tacacs-server key 7 xxxxxx

!

control-plane

!

!

!

!

!

!

!

!

banner login ^C

*********************************************************

* Unauthorized access to this system is forbidden.      *

* By accessing this system, you agree that your actions *

* may be monitored if unauthorized usage is suspected.  *

*                                                       *

*********************************************************

^C

alias exec cSW3 clear line 72

alias exec cSW4 clear line 73

alias exec cR1 clear line 66

alias exec cR2 clear line 67

alias exec cR3 clear line 68

alias exec cR4 clear line 69

alias exec cR5 clear line 81

alias exec q logout

alias exec c conf t

alias exec cASA clear line 79

alias exec 1 menu switch

alias exec cASW1 clear line 80

alias exec cASW2 clear line 76

alias exec cR6 clear line 78

alias exec cCSW2 clear line 71

alias exec cCSW1 clear line 70

privilege exec level 0 connect

privilege exec level 0 telnet

privilege exec level 0 menu

privilege exec level 0 resume

privilege exec level 0 clear line

privilege exec level 0 clear

!

line con 0

line aux 0

line 1/0 1/31

session-timeout 2

exec-timeout 0 20

privilege level 15

logging synchronous

login authentication nologin

no exec

transport input telnet

transport output none

stopbits 1

flowcontrol hardware

line vty 0 4

exec-timeout 30 0

logging synchronous

autocommand  menu switch

line vty 5 15

exec-timeout 30 0

logging synchronous

!

scheduler allocate 20000 1000

!

event manager directory user policy "flash:/"

event  manager directory user library "flash:/"

event manager policy EEM.tcl

!

end

event  manager directory user library "flash:/"          
( I removed this  command from the config now, but I get the same error anyway)

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

Ah, that's the problem!  It's your menu.  You need to remove the menu from at leats the first VTY line.  For example, try this:

line vty 0

transport input none

no autocommand menu switch

New Member

Re: Run TCL script on the router by executing TCL script on acce

Thank you Joseph for your time!

But there is a same problem for me I will try this EEM TCL script on 2511 router today, maybe results will be different...

Can show me, exactly which commands you put in there?:

array set cli [my_cli_open]

my_cli_exec $cli(fd) "enable"

cli_write $cli(fd) "send tty 11\r"

cli_read_pattern $cli(fd) "Enter message"

cli_write $cli(fd) "This is a test\r "

cli_read_pattern $cli(fd) "Send message"

my_cli_exec $cli(fd) "\r"

cli_close $cli(fd) $cli(tty_id)


Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

You have to make sure line vty 0 is free.  Once you make the config changes, clear the line to make sure it is free so EEM can occupy it.

If you are going to move the script, move the whole script.  Don't extract individual pieces of code.  Copy the whole no_send_msg.tcl script to your new router.  Note: this script requires EEM 2.1 or higher so you're looking at 12.3(14)T or higher.  I do not think you can run that on a 2511.

New Member

Re: Run TCL script on the router by executing TCL script on acce

Hello. I think there is something wrong with a script that I try to execute:

AccessServer#sh line vty 0

   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int

    514  514 VTY              -    -      -    -    -     0      0    0/0      -

Line 514, Location: "", Type: ""

Length: 24 lines, Width: 80 columns

Baud rate (TX/RX) is 9600/9600

Status: No Exit Banner

Capabilities: none

Modem state: Idle

Special Chars: Escape  Hold  Stop  Start  Disconnect  Activation

                ^^x    none   -     -       none        

Timeouts:      Idle EXEC    Idle Session   Modem Answer  Session   Dispatch

               00:30:00        never                        none     not set

                            Idle Session Disconnect Warning

                              never

                            Login-sequence User Response

                             00:00:30

                            Autoselect Initial Wait

                              not set

Modem type is unknown.

Session limit is not set.

Time since activation: never

Editing is enabled.

History is enabled, history size is 20.

DNS resolution in show commands is enabled

Full user help is disabled

Allowed input transports are none.

Allowed output transports are pad telnet rlogin lapb-ta mop v120 ssh.

Preferred transport is telnet.

No output characters are padded

No special data dispatching characters

AccessServer#sh line

   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns  Int

    514  514 VTY              -    -      -    -    -     0      0    0/0      -

*   515  515 VTY              -    -      -    -    -     2      0    0/0      -

    516  516 VTY              -    -      -    -    -     0      0    0/0      -

    517  517 VTY              -    -      -    -    -     0      0    0/0      -

    518  518 VTY              -    -      -    -    -     0      0    0/0      -

AccessServer#sh users

    Line       User       Host(s)              Idle       Location

*515 vty 1     cisco      idle                 00:00:00 X>X>X>X

  Interface    User               Mode         Idle     Peer Address

AccessServer#sh run | b even

event manager directory user policy "flash:/"

event manager policy EEM.tcl

!

end

AccessServer(config)#no event manager policy EEM.tcl

AccessServer#delete flash:EEM.tcl

Delete filename [EEM.tcl]?

Delete flash:EEM.tcl? [confirm]

AccessServer#copy tftp://X>X>X>X/EEM.tcl flash:

Destination filename [EEM.tcl]?

Accessing tftp://X>X>X>X/EEM.tcl...

Loading EEM.tcl from X>X>X>X (via FastEthernet0/0): !

[OK - 4603 bytes]

AccessServer(config)#event manager policy EEM.tcl

AccessServer#event manager run EEM.tcl             

Process Forced Exit

   while executing

"continue"

    (procedure "cli_read_pattern" line 12)

    invoked from within

"cli_read_pattern $cli(fd) "Enter message""

    invoked from within

"$slave eval $Contents"

    (procedure "eval_script" line 7)

    invoked from within

"eval_script slave $scriptname"

    invoked from within

"if {$security_level == 1} {       #untrusted script

     interp create -safe slave

     interp share {} stdin slave

     interp share {} stdout slave

..."

    (file "tmpsys:/lib/tcl/base.tcl" line 50)

Tcl policy execute failed: Process Forced Exit

Tcl policy execute failed: Process Forced Exit

End of Your EEM TCL script (edted by me)  looks like this:

array set cli [my_cli_open]

my_cli_exec $cli(fd) "enable"

cli_write $cli(fd) "send tty 70\r"

cli_read_pattern $cli(fd) "Enter message"  ( is this row ok? )

cli_write $cli(fd) "show cdp nei\r "           ( is this row ok? )

cli_read_pattern $cli(fd) "Send message"  ( is this row ok? )

my_cli_exec $cli(fd) "\r"

cli_close $cli(fd) $cli(tty_id)

(because I tried to change these rows, but changes was unsuccessful )

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

Post the output of "debug event manager tcl cli".  After entering "send tty 70" the required prompt cannot be matched.  This could mean there is an error with the command.

New Member

Re: Run TCL script on the router by executing TCL script on acce

AccessServer#event manager run EEM.tcl

*Mar 14 17:42:22.775: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : CTL : cli_open called.

*Mar 14 17:42:22.927: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : AccessServer>

*Mar 14 17:42:22.927: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : IN  : AccessServer>enable

*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : The command 'enable ' is not authorized for user  and client X.X.X.X

*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT :

*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : AccessServer>

Process Forced Exit3: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : IN  : AccessServer>send tty 70

    while executing

"continue"

    (procedure "cli_read_pattern" line 12)

    invoked from within

"cli_read_pattern $cli(fd) "Enter message""

    invoked from within

"$slave eval $Contents"

    (procedure "eval_script" line 7)

    invoked from within

"eval_script slave $scriptname"

    invoked from within

"if {$security_level == 1} {       #untrusted script

     interp create -safe slave

     interp share {} stdin slave

     interp share {} stdout slave

..."

    (file "tmpsys:/lib/tcl/base.tcl" line 50)

Tcl policy execute failed: Process Forced Exit

Tcl policy execute failed: Process Forced Exit

_

_

Need I login first ?

I'm using TACACS+ server , I need to login properly to the AccessServer first? I'm using "cisco/cisco" for TACACS+ authentication, and "cisco" as enable secret.

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

EEM doesn't do authentication.  It only does authorization.  Try configuring:

event manager session cli username cisco

Then see if the policy runs.

New Member

Re: Run TCL script on the router by executing TCL script on acce

OMG! OMG! OMG! It works now! I can't thank you enough dear Joseph!

You help me so much!!!

New Member

Re: Run TCL script on the router by executing TCL script on acce

Hello Joseph and all the community!

I don't know it is better to create new discussion or ask there, because a question is related with this topic.

As you helped me to send commands via TTY lines , is it possible to send some commands via SSH ?

Login to the specific device and enter some commands automatically?

Cisco Employee

Re: Run TCL script on the router by executing TCL script on acce

This can only work on very new IOS due to bug CSCtc92280 (i.e., it will only work on 15.1(4)T and higher).

9246
Views
0
Helpful
43
Replies
CreatePlease to create content