Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2253
Views
0
Helpful
1
Replies

do basic remote troubleshooting of C891F router using CEEM

j.loduca
Level 1
Level 1

‎01-27-2016 11:58 AM

Hello

I am trying to get an edge remote router to do basic troubleshooting that gets trigger off Cisco Embedded event manager. I composed a script to do some show commands, traceroutes etc and stuff all results into flash.  When ever the WAN is restored, I can pull the flash and maybe begin to see what broke. I can run the tcl script and it works fine.  Just trying to get Cisco Embedded Event manager to run it. CEEM gets successfully triggered but I believe I have an aaa issue with authorizing my tcl script but not clear on what to do about it.  I ran some debugs below.  what am I doing wrong?

flash:c800-universalk9-mz.SPA.154-3.M3.bin"
!
no event manager applet test
event manager applet WANDIAG
 event syslog pattern "changed state to down"
 action 1.1 cli command "enable"
 action 1.2 cli command "tclsh WANTEST"
!


flash file called WANTEST:

set DIAGDATA [open DIAGDATA w]
        set mybuffer [exec "show clock"]
        puts $DIAGDATA $mybuffer
        ios_config "interface FastEthernet0" "no ip access-group Allowed-Nets in"
        set mybuffer [exec "show ip interface brief"]
        puts $DIAGDATA $mybuffer
        set mybuffer [exec "ping 188.240.254.140"]
        puts $DIAGDATA $mybuffer
        set mybuffer [exec "show interface FastEthernet0"]
        puts $DIAGDATA $mybuffer
        set mybuffer [exec "show ip route"]
        puts $DIAGDATA $mybuffer
        set mybuffer [exec "trace ip 188.240.254.140 timeout 2"]
        puts $DIAGDATA $mybuffer
        set mybuffer [exec "show crypto session detail"]
        puts $DIAGDATA $mybuffer
        set mybuffer [exec "show crypto ipsec sa"]
        puts $DIAGDATA $mybuffer
        ios_config "interface FastEthernet0" "ip access-group Allowed-Nets in"
close $DIAGDATA

Jan 26 14:25:21.875: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to down
Jan 26 14:25:21.875: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : CTL : cli_open called.
Jan 26 14:25:21.879: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : OUT : DNRSPORTAUST1762WATERS-V>
Jan 26 14:25:21.879: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : IN  : DNRSPORTAUST1762WATERS-V>enable
Jan 26 14:25:21.891: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : OUT : DNRSPORTAUST1762WATERS-V#
Jan 26 14:25:21.891: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : IN  : DNRSPORTAUST1762WATERS-V#tclsh WANTEST
Jan 26 14:25:22.203: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : OUT : Authorization request DENIED. You are NOT authorized to execute this command
Jan 26 14:25:22.203: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : OUT :
Jan 26 14:25:22.203: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : OUT : DNRSPORTAUST1762WATERS-V#
Jan 26 14:25:22.203: %HA_EM-6-LOG: WANDIAG : DEBUG(cli_lib) : : CTL : cli_close called.
Jan 26 14:25:22.207:
Jan 26 14:25:22.207: tty is now going through its death sequence


aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authorization exec default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Labels:
0 Helpful
1 Reply 1

Joe Clarke
Cisco Employee
Cisco Employee

‎02-03-2016 08:22 AM

You need to configure "event manager session cli user USERNAME" where USERNAME is a AAA user authorized to run all of the CLI commands.

Note: I never recommend combining EEM and Tcl like this.  You should rewrite your tclsh script as an EEM Tcl policy.

0 Helpful
Customers Also Viewed These Support Documents