Hello Community,

I would like to understand if it's possible to perform more than just a route table change when the CSR detects BFD peer down events?

I am in the process of replacing an old VPN capability for a number of customers from Vyatta to CSR's on AWS.  The older VPN topology involves a single elastic IP as the peer address which is reallocated to the standby Vyatta in a different AZ when an AWS side failure is detected via Nagios. Topology can't change due to the cost involved with 3rd parties changes (most are outsourced managed services).

With the CSR being able to make AWS route table change directly from the non-impacted CSR instance this gets me 50% of the way there.  The remaining 50% is the EIP reallocation.

After reviewing the HA docs --> https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/aws/b_csraws.pdf - eem is used to trigger AWS API changes via a https request(s) as long as the ec2 instance has the required role to do so.  I would like to understand this a little more and explore the possibility of including EIP reallocation during the same failover event.

I started by looking as a customer tcl script with triggers a https request with query parameters, but tls.tcl library is not included in tmpsys:/lib/tcl and there does not appear to be a library that supports https included. Alternative suggestions welcome :)

So i'm a but stumped how the CSR can make a https request against the AWS API. The documentation also state the follow action is executed.  

action 1.0 publish-event sub-system 55 type 55 arg1 $RTB arg2 $CIDR arg3 $ENI arg4 $REGION

What is "publish-event sub-system 55 type 55"? can I create another sub-system which triggers an AWS API request using https?

Any assistance is greatly appreciated.

Scott