cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4888
Views
0
Helpful
3
Replies
scott_frederick
Beginner

EEM CLI command not running

Hi guys,

I have an issue with an EEM applet that I have configured. Part of the applet is to run a kron occurrence. I know the applet is executing by viewing event manager history, but when I then run show kron schedule, the kron job is not set to run.

If I manually input the same CLI commands, the schedule starts without issue.

The config for the applet is below:

event manager applet RESTORED

!

event track 100 state up

!

action 1.0 cli command "enable"

!

action 1.1 cli command "conf t"

!

action 1.2 cli command "kron occurrence MONITOR in 0:10"

!

action 1.3 cli command "policy-list MONITOR"

!

action 1.4 syslog msg "ATTENTION:THE CCT HAS RESTORED"

!

exit

Any help with this would be greatly appreciated.

Thanks

Scott

1 ACCEPTED SOLUTION

Accepted Solutions
Joe Clarke
Hall of Fame Cisco Employee

Don't change your policy at all.  Instead, add "event manager session cli username USER" where USER is a username authorized to run all of the CLI commands in the policy.

View solution in original post

3 REPLIES 3
scott_frederick
Beginner

I have debugged event manager action cli, and discovered that the reason the CLI commands are not taking is that aaa (tacacs) is applied to this router, so when the system attempts to enter commands, command authorisation is failing.

*Jul 15 15:14:26.245: %TRACKING-5-STATE: 100 interface Lo100 ip routing Up->Down

*Jul 15 15:14:26.261: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : CTL : cli_open called.

*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : CC

*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :

*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :

*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : This is a test router for SNMP traps

*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :

*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :

*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : WAKE-ANT-TEST-RTR>

*Jul 15 15:14:26.269: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : IN  : WAKE-ANT-TEST-RTR>enable

*Jul 15 15:14:26.281: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : WAKE-ANT-TEST-RTR#

*Jul 15 15:14:26.281: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : IN  : WAKE-ANT-TEST-RTR#conf t

*Jul 15 15:14:26.497: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : Command authorization failed.

*Jul 15 15:14:26.497: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :

*Jul 15 15:14:26.497: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : WAKE-ANT-TEST-RTR#

*Jul 15 15:14:26.497: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : IN  : WAKE-ANT-TEST-RTR#no kron occurrence MONITOR in 0:03

*Jul 15 15:14:26.513: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :                      ^

*Jul 15 15:14:26.513: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.

*Jul 15 15:14:26.513: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT :

*Jul 15 15:14:26.513: %HA_EM-6-LOG: DWNBT : DEBUG(cli_lib) : : OUT : WAKE-ANT-TEST-RTR#

Does anyone out there know if its possible for EEM to authenticate against aaa?

I did try adding a "login" command after

action 1.0 cli command "enable", but this failed authorisation also.

Thanks

Scott

Joe Clarke
Hall of Fame Cisco Employee

Don't change your policy at all.  Instead, add "event manager session cli username USER" where USER is a username authorized to run all of the CLI commands in the policy.

View solution in original post

Joseph,

thank you very much. That works a treat!