topic Re: Cisco ASA EEM Script to enable/disable interface in Network Security

Cisco ASA EEM Script to enable/disable interface

SHABEEB KUNHIPOCKER — Mon, 18 Sep 2023 07:18:27 GMT

Hello,

Please find the below diagram

We have a requirement to shutdown the outside interface of our VPN when the server (192.168.255.1) is not reachable. Basically we are trying to terminate the VPN tunnels when the CORE switch goes down or the server goes down. Obviously the interface should be enabled when the server becomes reachable. I tried to use the below EEM scripts but it does not seem to work properly. Please advise.

track 1 rtr 1 reachability

sla monitor 1
type echo protocol ipIcmpEcho 192.168.255.1 interface inside
num-packets 8
sla monitor schedule 1 life forever start-time now

route inside 192.168.255.1 255.255.255.255 172.24.255.18 1 track 1

event manager applet CORE-DOWN
description Core Link Down
event syslog id 622001
action 1 cli command "conf t"
action 2 cli command "interface g0/0"
action 3 cli command "shutdown"
action 4 cli command "wr mem"
output none
event manager applet CORE-UP
description DC1 Core UP
event syslog id 622001 occurs 2
action 1 cli command "conf t"
action 2 cli command "interface g0/0"
action 3 cli command "no shutdown"
action 4 cli command "wr mem"
output none

Thanks

Shabeeb

Re: Cisco ASA EEM Script to enable/disable interface

balaji.bandi — Mon, 18 Sep 2023 12:12:28 GMT

If you are looking based ip sla and EEM script should trigger you should track the sla and do the action (rather event syslog id)

example :

event manager applet CORE-DOWN
description Core Link Down

event track 1 state down

----

---

check theLogs and statistics :

#show ip sla statistics

also look debug why its failing :

#debug event manager action cli

Re: Cisco ASA EEM Script to enable/disable interface

SHABEEB KUNHIPOCKER — Mon, 18 Sep 2023 12:57:16 GMT

Hello,

Thanks a lot for your response. But Cisco ASA does not support event track command. It supports only event syslog id command.

Re: Cisco ASA EEM Script to enable/disable interface

balaji.bandi — Mon, 18 Sep 2023 14:32:43 GMT

apolgies - so what Logs you see - can you post the logs

event syslog id 622001 - what logs you see on ASA that time if the ping loss to servers

622001

Error Message %ASA-6-622001: string tracked route network mask address , distance number , table string , on interface interface-name

Explanation A tracked route has been added to or removed from a routing table, which means that the state of the tracked object has changed from up or down.

string —Adding or Removing
network —The network address
mask —The network mask
address —The gateway address
number —The route administrative distance
string —The routing table name
interface-name —The interface name as specified by the nameif command

depends the code check what ip sla results and also check event logs :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/monitor-eem.html

Re: Cisco ASA EEM Script to enable/disable interface

SHABEEB KUNHIPOCKER — Wed, 20 Sep 2023 14:54:24 GMT

Hello,

Apologies for the late response. The logs shown in the firewall are as below.

%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, MV2-VPNASA# inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface

As you can see when the route is added and removed, the same syslog ID is generated. My expectation of using "event syslog ID occurs 2" in the second script is that it will run every second time the syslog ID is generated. For example when the tracker goes down I expect only "CORE-DOWN" script to run and when the tracker comes up again I expect both the scripts to run in order "CORE-DOWN" first and "CORE-UP" after that.

But what I can see is that when the tracker comes back, the last script ran is "CORE-DOWN" which basically shuts down the G0/0 interface, which is against the requirement. Please check and advise.

Re: Cisco ASA EEM Script to enable/disable interface

balaji.bandi — Wed, 20 Sep 2023 15:38:20 GMT

Sure thats defeat the purpose of the EEM Script.

on you log the removing adding happening so frequent is this testing time ?

Re: Cisco ASA EEM Script to enable/disable interface

SHABEEB KUNHIPOCKER — Wed, 20 Sep 2023 19:56:15 GMT

Sorry, I did not understand your question.

Re: Cisco ASA EEM Script to enable/disable interface

SHABEEB KUNHIPOCKER — Mon, 25 Sep 2023 21:58:33 GMT

Any other thoughts guys?