Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TCL Scripting to change the command 'clear crypto session'

Hi everyone,

I've been ask to create a TCL script to blocked the command 'clear crypto session' if the user didn't add the 'remote xx.xx.xx.xx'. To forbid someone to clear all the session by mistake.

And to be quite frank I do not really know where to begin. I try to find TCL scripts similar to that, but I didnt not find any. And I've never user TCL before...

Thanks

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: TCL Scripting to change the command 'clear crypto session'

Here you go.  Copy this file to a directory on the device's local flash (e.g. flash:/policies), then do:

Router(config)#event manager directory user policy flash:/policies

Router(config)#event manager policy cl_no_clear_crypto.tcl

Then test away.

Cisco Employee

Re: TCL Scripting to change the command 'clear crypto session'

There is the main documentation page at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps10592_TSD_Products_Configuration_Guide_Chapter.html .  Then there is the CiscoBeyond site which offers a nice repository of Cisco and user-contributed scripts at http://www.cisco.com/go/ciscobeyond .  There is also a partner, Progrizon, which offers a free policy building tool to help get you started with applet and Tcl scripting.

14 REPLIES
Cisco Employee

Re: TCL Scripting to change the command 'clear crypto session'

You don't need to Tcl for this necessarily.  An applet like this would work:

event manager applet no-clear-crypto

event cli pattern "^clear crypto session\s*$" sync yes

action 1.0 puts "The 'clear crypto session' cannot be run without an argument."

action 2.0 exit 0

This applet requires EEM 3.0, but a similar one could be made for earlier versions.

New Member

Re: TCL Scripting to change the command 'clear crypto session'

Thanks for the quick answer,

I will test this today, if I can, and let you know if it worked!

Thanks again!

New Member

Re: TCL Scripting to change the command 'clear crypto session'

It's not working... I upgrade the IOS to have 12.4 and not 12.3 but he dont take the commands action xxx puts and action xxx exit. Right now I have a IOS Version 12.4(15)T13.

Blue

Re: TCL Scripting to change the command 'clear crypto session'

You'll need to upgrade to 12.4(22)T or higher:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1070259

"EEM 3.0 is supported in Cisco IOS Release 12.4(22)T, 12.2(33)SRE, and later releases."

New Member

Re: TCL Scripting to change the command 'clear crypto session'

Yeah... That what I find.

Thanks I will try 124-25c.

New Member

Re: TCL Scripting to change the command 'clear crypto session'

Still not working... And I have the latest IOS : System image file is "flash:c2600-adventerprisek9-mz.124-25c.bin" but it's seem this is not supported on 2651Xm...

(config-applet)#action 100 ?
  cli               Execute a CLI command
  cns-event         Send a CNS event
  counter           Modify a counter value
  force-switchover  Force a software switchover
  info              Obtain system specific information
  mail              Send an e-mail
  policy            Run a pre-registered policy
  publish-event     Publish an application specific event
  reload            Reload system
  snmp-trap         Send an SNMP trap
  syslog            Log a syslog message

Cisco Employee

Re: TCL Scripting to change the command 'clear crypto session'

In order to get EEM 3.0 support, you need 12.4(22)T (the 'T' is important).  You still have mainline, so you only have EEM 2.1.  If you need to run mainline, that's not a problem, I can cook you up a Tcl script to do what you need.  If you're okay with another upgrade, move to 12.4(22)T or 15.0, and the applet will work for you.

New Member

Re: TCL Scripting to change the command 'clear crypto session'

Thats where I have a problem... I dont find IOS 12.4(22)T for 2651XM...

Cisco Employee

Re: TCL Scripting to change the command 'clear crypto session'

Ah, a 2651.  That platform can only run up to 12.4(15)T which only gives you EEM 2.3.  There are improvements there, but not enough functionality for the applet policy.  I'll convert the policy to Tcl, and upload the file.

Cisco Employee

Re: TCL Scripting to change the command 'clear crypto session'

Here you go.  Copy this file to a directory on the device's local flash (e.g. flash:/policies), then do:

Router(config)#event manager directory user policy flash:/policies

Router(config)#event manager policy cl_no_clear_crypto.tcl

Then test away.

New Member

Re: TCL Scripting to change the command 'clear crypto session'

Hi Joe!

I did it, it seem to work! I will do one final test maybe this afternoon and be back to give feetback!

Thanks again for your help!!

New Member

Re: TCL Scripting to change the command 'clear crypto session'

Perfect!!

Thank you very much!!

Do you have some web page to give me so I can learn to do this kind of script?

Thanks again!!

Cisco Employee

Re: TCL Scripting to change the command 'clear crypto session'

There is the main documentation page at http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps10592_TSD_Products_Configuration_Guide_Chapter.html .  Then there is the CiscoBeyond site which offers a nice repository of Cisco and user-contributed scripts at http://www.cisco.com/go/ciscobeyond .  There is also a partner, Progrizon, which offers a free policy building tool to help get you started with applet and Tcl scripting.

New Member

Re: TCL Scripting to change the command 'clear crypto session'

Thanks a lot!

1311
Views
25
Helpful
14
Replies
CreatePlease to create content