Solved: Re: EEM doesn't work NXOS

shados · ‎08-28-2024

Hello everyone, I have the following config and it doesn't seem to work on NXOS, but it works perfectly fine on regular ios.

feature sla sender
feature sla responder
ip sla responder
ip sla 1000
ip sla schedule 1000 life forever start-time now
ip sla reaction-configuration 1000 react icpif threshold-value 6 5 threshold-type average 2 action-type trapOnly
ip sla logging traps

event manager applet monitor_icpif_1000_below
event syslog pattern "IP SLAs.1000.: Threshold exceeded for icpif"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "router bgp 65000"
action 4.0 cli command "neighbor 10.0.0.2"
action 5.0 cli command "shut"
event manager applet monitor_icpif_1000_exceeded
event syslog pattern "IP SLAs.1000.: Threshold below for icpif*"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "router bgp 65000"
action 4.0 cli command "neighbor 10.0.0.2"
action 5.0 cli command "no shut"

so the idea is to shutdown the bgp session when icpif exceeds or otherwise, I see syslog messages:

2024 Aug 28 13:06:02 N9K-1 %SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold exceeded for icpif
2024 Aug 28 13:20:07 N9K-1 %SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold below for icpif
2024 Aug 28 13:30:01 N9K-1 %SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold exceeded for icpif
2024 Aug 28 13:32:57 N9K-1 %SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold below for icpif
2024 Aug 28 13:36:01 N9K-1 %SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold exceeded for icpif
2024 Aug 28 13:39:07 N9K-1 %SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold below for icpif
2024 Aug 28 13:42:31 N9K-1 %SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold exceeded for icpif

but I do not see any action from EEM. Again, this works totally fine on ASR1001x. What am I doing wrong? Thank you in advance.

bigevilbeard · ‎08-29-2024

Here is an example guide for how to do this on NXOS https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/101x/programmability/cisco-nexus-9000-series-nx-os-programmability-guide-release-101x/m-n9k-python-api-101x.html and another here https://community.cisco.com/t5/network-management/eem-script-to-call-python-script-for-cli-accounting-for-nx-os/td-p/3091240 and here https://github.com/heitmanr/nxos_dom-monitor which feature syslog.

I think you would need EEM to track to syslog, this would then execute your Python script via Cisco Python Package and take the actions. You would need to two here, one to bring the peer down and second to bring this up per your EEM. This is an example, way more complex than you are looking to do https://github.com/dokan/N9k-auto-bgp

Please test this, but this should be what you need as far as a to shut the peer, you

from cli import *

# Set the BGP peer IP
bgp_peer_ip = "10.0.0.2"

# Enter configuration mode
cli("configure terminal")

# Shut down the BGP peer
cli(f"router bgp 65000 ; neighbor {bgp_peer_ip} ; shut")

# Exit configuration mode
cli("end")

And i guess the eem like this?

event manager applet shut-bgp-peer
 event syslog pattern "%SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs\(1000\): Threshold exceeded for icpif"
 action 1.0 cli command "python /path/to/script.py"

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

View solution in original post

bigevilbeard · ‎08-28-2024

I think the the event syslog patterncommand requires a more specific syntax, including the severity level and the exact syslog message pattern on NXOS. Try and update the event syslog pattern commands to include the exact syslog message pattern, including the severity level (SLA_SENDER-3-IPSLATHRESHOLD) and the IP SLA instance number (1000).

Hope this helps.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

shados · ‎08-28-2024

event manager applet monitor_icpif_1000_below
event syslog pattern "SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold exceeded for icpif"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "router bgp 65000"
action 4.0 cli command "neighbor 10.0.0.2"
action 5.0 cli command "shut"
event manager applet monitor_icpif_1000_exceeded
event syslog pattern "SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold below for icpif"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "router bgp 65000"
action 4.0 cli command "neighbor 10.0.0.2"
action 5.0 cli command "no shut"

still didn't work

bigevilbeard · ‎08-29-2024

Does adding action 0.0 debug "EEM applet triggered!" to the EEM message show anything, when you use this it will print a debug message to the console when the EEM applet is triggered and if you don't see this message, it may indicate that the EEM applet is not triggering at all.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

shados · ‎08-29-2024

this isn't valid for NXOS action 0.0 debug "EEM applet triggered!"

N9K-1(config-applet)# action 0.0 ?
cli Configure a VSH CLI action
collect Collect debugging info using a yaml file
counter Specify the name of the counter
eem Event Manager command
event-default Do default action for the event
forceshut Force the entire switch to shut down
overbudgetshut Shut down the specified LCs due to power over budget
policy-default Do default action(s) of the policy being overridden
reload Reload the system or a specific module
snmp-trap Send out an SNMP trap
syslog Generate a syslog message

bigevilbeard · ‎08-29-2024

@shados gahh.. thought this was on NX. Try syslog, `action 0.0 syslog msg "EEM applet triggered!"` then check the syslog messages to see if the applet is triggering correctly.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

shados · ‎08-29-2024

tried it, no syslog, meaning this EEM isn't even triggered. What can be wrong?

2024 Aug 29 10:32:47 N9K-1 %SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold below for icpif

event manager applet monitor_icpif_1000_below
event syslog pattern "%SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold exceeded for icpif"
action 1.0 syslog msg EEM-TRIGGERED
action 2.0 cli command "enable"
action 3.0 cli command "configure terminal"
action 4.0 cli command "router bgp 65000"
action 5.0 cli command "neighbor 10.0.0.2"
action 6.0 cli command "shut"

event manager applet monitor_icpif_1000_exceeded
event syslog pattern "%SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs(1000): Threshold below for icpif"
action 1.0 syslog msg EEM-TRIGGERED
action 2.0 cli command "enable"
action 3.0 cli command "configure terminal"
action 4.0 cli command "router bgp 65000"
action 5.0 cli command "neighbor 10.0.0.2"
action 6.0 cli command "no shut"

bigevilbeard · ‎08-29-2024

I found this thread here is which is sort of the same https://community.cisco.com/t5/network-management/eem-in-n9k/td-p/4656531 - it would appear the work around here was to use a python script onbox, as right now it looks like this is setup correctly.

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

shados · ‎08-29-2024

make sense, however they do not post any examples. What would that look like? I still rely on EEM to call Python script after the syslog is generated?

bigevilbeard · ‎08-29-2024

Here is an example guide for how to do this on NXOS https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/101x/programmability/cisco-nexus-9000-series-nx-os-programmability-guide-release-101x/m-n9k-python-api-101x.html and another here https://community.cisco.com/t5/network-management/eem-script-to-call-python-script-for-cli-accounting-for-nx-os/td-p/3091240 and here https://github.com/heitmanr/nxos_dom-monitor which feature syslog.

I think you would need EEM to track to syslog, this would then execute your Python script via Cisco Python Package and take the actions. You would need to two here, one to bring the peer down and second to bring this up per your EEM. This is an example, way more complex than you are looking to do https://github.com/dokan/N9k-auto-bgp

Please test this, but this should be what you need as far as a to shut the peer, you

from cli import *

# Set the BGP peer IP
bgp_peer_ip = "10.0.0.2"

# Enter configuration mode
cli("configure terminal")

# Shut down the BGP peer
cli(f"router bgp 65000 ; neighbor {bgp_peer_ip} ; shut")

# Exit configuration mode
cli("end")

And i guess the eem like this?

event manager applet shut-bgp-peer
 event syslog pattern "%SLA_SENDER-3-IPSLATHRESHOLD: IP SLAs\(1000\): Threshold exceeded for icpif"
 action 1.0 cli command "python /path/to/script.py"

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

shados · ‎08-29-2024

Thanks! Before I read your answer I also tried configuring something similar and now it works. I appreciate your help.

bigevilbeard · ‎08-29-2024

Awesome @shados congrats!

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io