EEM applet with cli not triggering

CATHLEEN CAVANAGH · ‎09-22-2016

I'm new to EEM and have this configured on 3925 router. The intention is to remove pbr if tracking is down and add pbr if tracking is up. When track 123 is UP, the pbr-on applet doesn't run. When track 123 is DOWN, the pbr-off applet does run, but getting command authorization failed error with 'conf t' command. I know there multiple errors to resolve, any assistance is greatly appreciated! Thank you...

username eemscript privilege 15 password 7 xxxxxxxx

event manager session cli username "eemscript" privilege 15

!

track 123 ip sla 1 reachability

ip sla auto discovery

ip sla 1

icmp-echo 12.87.191.173

ip sla schedule 1 life forever start-time now

!

access-list 101 permit tcp host any any eq 80

access-list 101 permit tcp host any any eq 443

access-list 101 permit tcp host any any eq 8800

!

route-map internet-offload permit 10

match ip address 101

set ip default next-hop 172.16.4.49

!

event manager applet pbr-on trap

event track 123 state up

action 1.0 cli command "enable"

action 2.0 cli command "conf t"

action 3.0 cli command "interface range GigabitEthernet0/0 - 1"

action 4.0 cli command "ip policy route-map internet-offload"

action 5.0 cli command "end"

!

event manager applet pbr-off trap

event track 123 state down

action 1.0 cli command "enable"

action 2.0 cli command "conf t"

action 3.0 cli command "interface range GigabitEthernet0/0 - 1"

action 4.0 cli command "no ip policy route-map internet-offload"

action 5.0 cli command "end"

some displays which may assist:

usca-gwan1-rtr#sh track

Track 123

IP SLA 1 reachability

Reachability is Up

1 change, last change 02:33:42

Latest operation return code: OK

Latest RTT (millisecs) 10

Tracked by:

EEM applet pbr-on

EEM applet pbr-off

usca-gwan1-rtr#sh event manager stat policy

Average Maximum

No. Class Triggered Suppressed Run Time Run Time Name

-------------------------------------------------------------------------------

1 applet 0 0 0.000 0.000 pbr-on

event {} track

2 applet 0 0 0.000 0.000 pbr-off

event {} track

usca-gwan1-rtr#sh event manager policy registered

No. Class Type Event Type Trap Time Registered Name

1 applet user track On Wed Sep 21 19:45:25 2016 pbr-on

track 123 state up

maxrun 20.000

action 1.0 cli command "enable"

action 2.0 cli command "conf t"

action 3.0 cli command "interface range GigabitEthernet0/0 - 1"

action 4.0 cli command "ip policy route-map internet-offload"

action 5.0 cli command "end"

2 applet user track On Wed Sep 21 19:45:38 2016 pbr-off

track 123 state down

maxrun 20.000

action 1.0 cli command "enable"

action 2.0 cli command "conf t"

action 3.0 cli command "interface range GigabitEthernet0/0 - 1"

action 4.0 cli command "no ip policy route-map internet-offload"

action 5.0 cli command "end"

Joe Clarke · ‎09-27-2016

Chances are your AAA config is not using the local database, so your local user doesn't matter. You'd need to either configure "eemscript" on your AAA server or add "auth bypass" to your applet configuration line.

I see no reason that would prevent the "up" applet from running other than without valid authz, none of the actions will work. I would check that the track is actually transitioning to an up state after fixing authz.