Solved: EEM alert based on NAT Pool utilization

XIE YAO · ‎04-20-2015

Hi Expert,

I was looking for a way to generate some alert/syslog on ISR when nat pool is above certain threshold, this seems not possible via default IOS command thus looking for EEM.

I notice that the below output.

PSS-3925#sh ip nat statistics

Total active translations: 38 (0 static, 38 dynamic; 37 extended)

Peak translations: 49, occurred 00:10:33 ago

Outside interfaces:

Port-channel1

Inside interfaces:

GigabitEthernet0/0.100

Hits: 5177 Misses: 0

CEF Translated packets: 222, CEF Punted packets: 6012

Expired translations: 197

Dynamic mappings:

-- Inside Source

[Id: 3] access-list 139 pool A refcount 38

pool A: netmask 255.255.255.0

start 1.1.1.1 end 1.1.1.1

type generic, total addresses 1, allocated 1 (100%), misses 2114 <============

Addr-Refcount:38

longest chain in pool: A's addr-hash: 1, average len 0,chains 1/256

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

I guess this should be acheviable via powerful EEM to grep the percentage and then make some subsequent action but not sucessful so far.

snmp-server enable traps event-manager
event manager applet AAA
event none sync yes
action 1.0 cli command "enable"
action 2.0 cli command "show ip nat statistics | i allocated"
action 3.0 regexp "([0-9]+%)" "$_cli_result" result
action 4.0 if $_regexp_result gt "80"
action 5.0 syslog msg "detected over 80%"

There was nothing after I "event manager run AAA", any advise is warmly welcome.

Regards

Jack

Dan Frey · ‎04-21-2015

That could be caused by the % sign is in our regexp and we only want the number.

Try changing 3.0 to:

action 3.0 regexp "([0-9]+)%" "$_cli_result" match result

View solution in original post

Dan Frey · ‎04-20-2015

$_regexp_result reports true or false (1 or 0) and does not contain the result for the match.

I think this one should work.

snmp-server enable traps event-manager
event manager applet AAA
event none sync yes
action 1.0 cli command "enable"
action 2.0 cli command "show ip nat statistics | i allocated"
action 3.0 regexp "([0-9]+%)" "$_cli_result" match result
action 4.0 if $result gt "80"
action 5.0 syslog msg "detected over 80% ($result %)"

action 6.0 end

XIE YAO · ‎04-20-2015

Still not working.

debug event manage manager all showing below output.

.Apr 21 09:30:00.004 SGT: fh_fd_timer_process_async
.Apr 21 09:30:00.004 SGT: cron_tick: num_matches 0
.Apr 21 09:30:01.124 SGT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
.Apr 21 09:30:01.124 SGT: check_eem_cli_policy_handler: command_string=event manager run test
.Apr 21 09:30:01.124 SGT: check_eem_cli_policy_handler: num_matches = 0, response_code = 1
.Apr 21 09:30:01.124 SGT: fh_fd_none_event_match: parameters = , sync = 1, get_tty = 1, tty_buf = 646
.Apr 21 09:30:01.124 SGT: none_conn_tm_alloc: ptp=0x13C313CC
.Apr 21 09:30:01.124 SGT: fh_fd_none_event_match: publish_timer=0x1460A378, ptp=0x13C313CC, max_delay=30000
.Apr 21 09:30:01.124 SGT: none_conn_tm_add: re=0x13C2FECC, ptp=0x13C313CC
.Apr 21 09:30:01.124 SGT: fh_fd_none_event_match: re = 0x13C2FECC, num_matches = 1
.Apr 21 09:30:01.124 SGT: fh_send_server_sig_hndlr: received a pulse from none on node0/0 with fdid: 13
.Apr 21 09:30:01.124 SGT: fh_send_none_fd_msg: msg_type=64
.Apr 21 09:30:01.124 SGT: fh_send_none_fd_msg: sval=0
.Apr 21 09:30:01.124 SGT: fh_send_server_sig_hndlr: received FH_MSG_EVENT_PUBLISH_SYNC
.Apr 21 09:30:01.124 SGT: EEM: server processes multi events: timewin=1, sync_flag=1, ec_index=0, cmp_occ=1
.Apr 21 09:30:01.124 SGT: EEM: ctx=9:(11,1,1)
.Apr 21 09:30:01.124 SGT: EEM: server processes multi events: corr_res=1, cur_tcnt=1, cmp_tcnt=1
.Apr 21 09:30:01.124 SGT: fh_schedule_callback: fh_schedule_callback: cc=250A4B4 prev_epc=0; epc=1B05B030
.Apr 21 09:30:01.124 SGT: EEM server schedules callbacks: policy_type: 2
.Apr 21 09:30:01.124 SGT: EEM server schedules one event: policy_type=applet epc=1B05B030.
.Apr 21 09:30:01.124 SGT: fh_schedule_a_callback: EEM callback policy test has been scheduled to run. fdid: 13 sn: 12 jobid: 214
.Apr 21 09:30:01.124 SGT: fh_io_msg: received FH_MSG_API_INIT; jobid=227, processid=330, client=217, job name=EEM Callback Thread
.Apr 21 09:30:01.124 SGT: fh_server: fh_io_msg: received msg FH_MSG_EVENT_REQINFO_MULTI from client 217 pclient 2
.Apr 21 09:30:01.124 SGT: fh_server: fh_io_msg: received msg FH_MSG_EVENT_TTYINFO from client 217 pclient 2
.Apr 21 09:30:01.124 SGT: Registering tag: <fh_var> id: 1
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_publish_event_spec> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_publish_event_spec>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_publish_common> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_publish_common>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_type> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_type>
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(pdir) Value=(_event_type)
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(tcl) Value=(event_type)
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_var> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_var> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_type> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_type>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_spec_id> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_spec_id>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_spec_id> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_spec_id>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_name> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_name>
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(pdir) Value=(_event_type_string)
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(tcl) Value=(event_type_string)
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_var> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_var> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_name> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_name>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_severity> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_severity>
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(pdir) Value=(_event_severity)
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(tcl) Value=(event_severity)
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_var> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_var> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_severity> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_severity>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_sn> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_sn>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_sn> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_sn>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_publish_common> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_publish_common>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_fd_publish_none_spec> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_fd_publish_none_spec>
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(pdir) Value=(_none_argc)
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(tcl) Value=(argc)
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_var> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_var> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_fd_publish_none_spec> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_fd_publish_none_spec>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_publish_event_spec> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_publish_event_spec>
.Apr 21 09:30:01.124 SGT: EEM: policy_dir xml builtin: name:_event_type value:131
.Apr 21 09:30:01.124 SGT: EEM: policy_dir xml builtin: name:_event_type_string value:none
.Apr 21 09:30:01.124 SGT: EEM: policy_dir xml builtin: name:_event_severity value:severity-normal
.Apr 21 09:30:01.124 SGT: EEM: policy_dir xml builtin: name:_none_argc value:0
.Apr 21 09:30:01.128 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_open called.
.Apr 21 09:30:01.128 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : PSS-3925>
.Apr 21 09:30:01.128 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : PSS-3925>enable
.Apr 21 09:30:01.128 SGT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
.Apr 21 09:30:01.128 SGT: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
.Apr 21 09:30:01.140 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : PSS-3925#
.Apr 21 09:30:01.140 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : PSS-3925#show ip nat statistics | i allocated
.Apr 21 09:30:01.140 SGT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
.Apr 21 09:30:01.140 SGT: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
.Apr 21 09:30:01.152 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : type generic, total addresses 1, allocated 1 (100%), misses 21348
.Apr 21 09:30:01.152 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : PSS-3925#
.Apr 21 09:30:01.152 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_close called.
.Apr 21 09:30:01.152 SGT: fh_server: fh_io_msg: received msg FH_MSG_CALLBACK_DONE from client 217 pclient 2
.Apr 21 09:30:01.152 SGT: fh_io_msg: EEM callback policy test has ended with normal exit status of 0x0
.Apr 21 09:30:01.152 SGT: EEM fms_remote_chkpt_add_event_hist(), data_len = 2980, buf_size = 2992
.Apr 21 09:30:01.152 SGT: fh_send_none_fd_msg: msg_type=18
.Apr 21 09:30:01.152 SGT: fh_fd_none_publish_done: rc=0, re=13C2FECC
.Apr 21 09:30:01.152 SGT: fh_fd_none_publish_done: rc=0, publish_expired=0
.Apr 21 09:30:01.152 SGT: sid=11, ptp=0x13C313CC, connp=0x1AC723A0
.Apr 21 09:30:01.152 SGT: none_conn_tm_remove: re=0x13C2FECC, ptp=0x13C313CC
.Apr 21 09:30:01.152 SGT: fh_fd_none_conn_tm_free: ptp=0x13C313CC
.Apr 21 09:30:01.152 SGT: fh_send_none_fd_msg: sval=0
.Apr 21 09:30:01.152 SGT: EEM: server decrements in use thread: jobid=214 rule id=3 in use thread=0.
.Apr 21 09:30:01.152 SGT: fh_schedule_callback: fh_schedule_callback: cc=250A4B4 prev_epc=1B05B030; epc=0
.Apr 21 09:30:01.152 SGT: EEM server schedules callbacks: policy_type: 2
.Apr 21 09:30:01.152 SGT: fh_schedule_policy: prev_epc=0x0; epc=0x0
.Apr 21 09:30:01.152 SGT: EEM server schedules scripts
.Apr 21 09:30:01.152 SGT: fh_server: fh_io_msg: received msg FH_MSG_API_CLOSE from client 217 pclient 2
.Apr 21 09:30:01.152 SGT: fh_io_msg: received FH_MSG_API_CLOSE client=217
.Apr 21 09:30:01.152 SGT: tty is now going through its death sequence
.Apr 21 09:30:01.152 SGT: fh_fd_match_event: re=0x13C2FECC, policyname=test, parameters=, get_tty=1

PSS-3925#sh run | se event
snmp-server enable traps event-manager
event manager session cli username "demo"
event manager applet test
event none sync yes
action 1.0 cli command "enable"
action 2.0 cli command "show ip nat statistics | i allocated"
action 3.0 regexp "([0-9]+%)" "$_cli_result" match result
action 4.0 if $result gt "80"
action 5.0 syslog msg "detected over 80% ($result %)"
action 6.0 end

Dan Frey · ‎04-21-2015

That could be caused by the % sign is in our regexp and we only want the number.

Try changing 3.0 to:

action 3.0 regexp "([0-9]+)%" "$_cli_result" match result

XIE YAO · ‎04-21-2015

it works perfectly, thank you so much!