cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1640
Views
0
Helpful
4
Replies

EEM alert based on NAT Pool utilization

XIE YAO
Level 1
Level 1

Hi Expert,

I was looking for a way to generate some alert/syslog on ISR when nat pool is above certain threshold, this seems not possible via default IOS command thus looking for EEM.

I notice that the below output.

 

PSS-3925#sh ip nat statistics

 

Total active translations: 38 (0 static, 38 dynamic; 37 extended)

Peak translations: 49, occurred 00:10:33 ago

Outside interfaces:

  Port-channel1

Inside interfaces:

  GigabitEthernet0/0.100

Hits: 5177  Misses: 0

CEF Translated packets: 222, CEF Punted packets: 6012

Expired translations: 197

Dynamic mappings:

-- Inside Source

[Id: 3] access-list 139 pool A refcount 38

 pool A: netmask 255.255.255.0

        start 1.1.1.1 end 1.1.1.1

        type generic, total addresses 1, allocated 1 (100%), misses 2114   <============

Addr-Refcount:38

longest chain in pool: A's addr-hash: 1, average len 0,chains 1/256

 

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

 

I guess this should be acheviable via powerful EEM to grep the percentage and then make some subsequent action but not sucessful so far.

 

snmp-server enable traps event-manager
event manager applet AAA
 event none sync yes
 action 1.0 cli command "enable"
 action 2.0 cli command "show ip nat statistics | i allocated"
 action 3.0 regexp "([0-9]+%)" "$_cli_result" result
 action 4.0 if $_regexp_result gt "80"
 action 5.0  syslog msg "detected over 80%"

 

There was nothing after I "event manager run AAA", any advise is warmly welcome.

 

Regards

Jack

1 Accepted Solution

Accepted Solutions

That could be caused by the % sign is in our regexp and we only want the number.

Try changing 3.0 to:

 action 3.0 regexp "([0-9]+)%" "$_cli_result" match result

View solution in original post

4 Replies 4

Dan Frey
Cisco Employee
Cisco Employee

$_regexp_result reports true or false (1 or 0) and does not contain the result for the match.

  I think this one should work.

 

snmp-server enable traps event-manager
event manager applet AAA
 event none sync yes
 action 1.0 cli command "enable"
 action 2.0 cli command "show ip nat statistics | i allocated"
 action 3.0 regexp "([0-9]+%)" "$_cli_result" match result
 action 4.0 if $result gt "80"
 action 5.0  syslog msg "detected over 80% ($result %)"

action 6.0 end

Still not working.

debug event manage manager all showing below output.

.Apr 21 09:30:00.004 SGT: fh_fd_timer_process_async
.Apr 21 09:30:00.004 SGT: cron_tick: num_matches 0
.Apr 21 09:30:01.124 SGT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
.Apr 21 09:30:01.124 SGT: check_eem_cli_policy_handler: command_string=event manager run test
.Apr 21 09:30:01.124 SGT: check_eem_cli_policy_handler: num_matches = 0, response_code = 1
.Apr 21 09:30:01.124 SGT: fh_fd_none_event_match: parameters = , sync = 1, get_tty = 1, tty_buf = 646
.Apr 21 09:30:01.124 SGT: none_conn_tm_alloc: ptp=0x13C313CC
.Apr 21 09:30:01.124 SGT: fh_fd_none_event_match: publish_timer=0x1460A378, ptp=0x13C313CC, max_delay=30000
.Apr 21 09:30:01.124 SGT: none_conn_tm_add: re=0x13C2FECC, ptp=0x13C313CC
.Apr 21 09:30:01.124 SGT: fh_fd_none_event_match: re = 0x13C2FECC, num_matches = 1
.Apr 21 09:30:01.124 SGT: fh_send_server_sig_hndlr: received a pulse from none on node0/0 with fdid: 13
.Apr 21 09:30:01.124 SGT: fh_send_none_fd_msg: msg_type=64
.Apr 21 09:30:01.124 SGT: fh_send_none_fd_msg: sval=0
.Apr 21 09:30:01.124 SGT: fh_send_server_sig_hndlr: received FH_MSG_EVENT_PUBLISH_SYNC
.Apr 21 09:30:01.124 SGT: EEM: server processes multi events: timewin=1, sync_flag=1, ec_index=0, cmp_occ=1
.Apr 21 09:30:01.124 SGT: EEM: ctx=9:(11,1,1)
.Apr 21 09:30:01.124 SGT: EEM: server processes multi events: corr_res=1, cur_tcnt=1, cmp_tcnt=1
.Apr 21 09:30:01.124 SGT: fh_schedule_callback: fh_schedule_callback: cc=250A4B4 prev_epc=0; epc=1B05B030
.Apr 21 09:30:01.124 SGT: EEM server schedules callbacks: policy_type: 2
.Apr 21 09:30:01.124 SGT: EEM server schedules one event: policy_type=applet epc=1B05B030.
.Apr 21 09:30:01.124 SGT: fh_schedule_a_callback: EEM callback policy test has been scheduled to run. fdid: 13 sn: 12 jobid: 214
.Apr 21 09:30:01.124 SGT: fh_io_msg: received FH_MSG_API_INIT; jobid=227, processid=330, client=217, job name=EEM Callback Thread
.Apr 21 09:30:01.124 SGT: fh_server: fh_io_msg: received msg FH_MSG_EVENT_REQINFO_MULTI from client 217 pclient 2
.Apr 21 09:30:01.124 SGT: fh_server: fh_io_msg: received msg FH_MSG_EVENT_TTYINFO from client 217 pclient 2
.Apr 21 09:30:01.124 SGT: Registering tag: <fh_var> id: 1
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_publish_event_spec> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_publish_event_spec>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_publish_common> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_publish_common>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_type> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_type>
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(pdir) Value=(_event_type)
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(tcl) Value=(event_type)
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_var> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_var> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_type> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_type>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_spec_id> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_spec_id>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_spec_id> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_spec_id>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_name> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_name>
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(pdir) Value=(_event_type_string)
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(tcl) Value=(event_type_string)
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_var> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_var> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_name> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_name>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_severity> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_severity>
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(pdir) Value=(_event_severity)
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(tcl) Value=(event_severity)
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_var> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_var> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_severity> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_severity>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_event_sn> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_event_sn>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_event_sn> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_event_sn>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_publish_common> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_publish_common>
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_fd_publish_none_spec> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_fd_publish_none_spec>
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(pdir) Value=(_none_argc)
.Apr 21 09:30:01.124 SGT: Name-Value Pair: Name=(tcl) Value=(argc)
.Apr 21 09:30:01.124 SGT: Pushing tag <fh_var> on to stack
.Apr 21 09:30:01.124 SGT: open tag is <fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_var> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_var>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_fd_publish_none_spec> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_fd_publish_none_spec>
.Apr 21 09:30:01.124 SGT: Popping tag <fh_publish_event_spec> off stack
.Apr 21 09:30:01.124 SGT: close tag is </fh_publish_event_spec>
.Apr 21 09:30:01.124 SGT: EEM: policy_dir xml builtin: name:_event_type value:131
.Apr 21 09:30:01.124 SGT: EEM: policy_dir xml builtin: name:_event_type_string value:none
.Apr 21 09:30:01.124 SGT: EEM: policy_dir xml builtin: name:_event_severity value:severity-normal
.Apr 21 09:30:01.124 SGT: EEM: policy_dir xml builtin: name:_none_argc value:0
.Apr 21 09:30:01.128 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_open called.
.Apr 21 09:30:01.128 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : PSS-3925>
.Apr 21 09:30:01.128 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : PSS-3925>enable
.Apr 21 09:30:01.128 SGT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
.Apr 21 09:30:01.128 SGT: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
.Apr 21 09:30:01.140 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : PSS-3925#
.Apr 21 09:30:01.140 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : PSS-3925#show ip nat statistics | i allocated
.Apr 21 09:30:01.140 SGT: cli_history_entry_add: free_hist_list size=0, hist_list size=7
.Apr 21 09:30:01.140 SGT: eem_no_scan flag set, skipping scan of command_string=check_eem_cli_policy_handler
.Apr 21 09:30:01.152 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :         type generic, total addresses 1, allocated 1 (100%), misses 21348
.Apr 21 09:30:01.152 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : PSS-3925#
.Apr 21 09:30:01.152 SGT: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : CTL : cli_close called.
.Apr 21 09:30:01.152 SGT: fh_server: fh_io_msg: received msg FH_MSG_CALLBACK_DONE from client 217 pclient 2
.Apr 21 09:30:01.152 SGT: fh_io_msg: EEM callback policy test has ended with normal exit status of 0x0
.Apr 21 09:30:01.152 SGT: EEM fms_remote_chkpt_add_event_hist(), data_len = 2980, buf_size = 2992
.Apr 21 09:30:01.152 SGT: fh_send_none_fd_msg: msg_type=18
.Apr 21 09:30:01.152 SGT: fh_fd_none_publish_done: rc=0, re=13C2FECC
.Apr 21 09:30:01.152 SGT: fh_fd_none_publish_done: rc=0, publish_expired=0
.Apr 21 09:30:01.152 SGT:   sid=11, ptp=0x13C313CC, connp=0x1AC723A0
.Apr 21 09:30:01.152 SGT: none_conn_tm_remove: re=0x13C2FECC, ptp=0x13C313CC
.Apr 21 09:30:01.152 SGT: fh_fd_none_conn_tm_free: ptp=0x13C313CC
.Apr 21 09:30:01.152 SGT: fh_send_none_fd_msg: sval=0
.Apr 21 09:30:01.152 SGT: EEM: server decrements in use thread: jobid=214 rule id=3 in use thread=0.
.Apr 21 09:30:01.152 SGT: fh_schedule_callback: fh_schedule_callback: cc=250A4B4 prev_epc=1B05B030; epc=0
.Apr 21 09:30:01.152 SGT: EEM server schedules callbacks: policy_type: 2
.Apr 21 09:30:01.152 SGT: fh_schedule_policy: prev_epc=0x0; epc=0x0
.Apr 21 09:30:01.152 SGT: EEM server schedules scripts
.Apr 21 09:30:01.152 SGT: fh_server: fh_io_msg: received msg FH_MSG_API_CLOSE from client 217 pclient 2
.Apr 21 09:30:01.152 SGT: fh_io_msg: received FH_MSG_API_CLOSE client=217
.Apr 21 09:30:01.152 SGT: tty is now going through its death sequence
.Apr 21 09:30:01.152 SGT: fh_fd_match_event: re=0x13C2FECC, policyname=test, parameters=, get_tty=1

 

PSS-3925#sh run | se event
snmp-server enable traps event-manager
event manager session cli username "demo"
event manager applet test
 event none sync yes
 action 1.0 cli command "enable"
 action 2.0 cli command "show ip nat statistics | i allocated"
 action 3.0 regexp "([0-9]+%)" "$_cli_result" match result
 action 4.0 if $result gt "80"
 action 5.0  syslog msg "detected over 80% ($result %)"
 action 6.0 end

 

 

 

That could be caused by the % sign is in our regexp and we only want the number.

Try changing 3.0 to:

 action 3.0 regexp "([0-9]+)%" "$_cli_result" match result

it works perfectly, thank you so much!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco