thank you, Joe. and yes, that is correct... i have tested on another device and this one other device do not have the same issue.  this one other device (asa5506) was able to put interface to down and up based on the syslog ids. So i copied the eem applet and copied to the one i'm having problem with but still no fix.

do you think, maybe mechanism that monitors the logs is lagging and or too many syslogs activity or the log monitor is overworking? 

I wouldn't think overloaded syslog on an ASA would be an issue.  But you haven't shown any proof that the syslog message in generated.  Do you see this message within the time window?

see attached.

I'm not exactly sure what I should be seeing here.  It looks like you configure the applet to look for 603108, but it never gets generated in the syslog output.

yes it didn't because the PPPoE didn't drop or disconnected.  per cisco's system log message 603108 is to PPPoE.

am more concern when the vpn tunnel goes up and sysid 602303 got generated but it didnt trigered the action 4.  per the log i uploaded, 602303 was generated but before 602304 (vpn tunnel disconnected).

event syslog id 602304, hits 68, last 602304 @ 2017/02/06 08:20:40
event syslog id 602303, hits 64, last 602303 @ 2017/02/06 03:20:07

have you seen something like this happen? and what cause it?

anyway, i've added more syslog id to trigger the action to bring the interface up. that way, the system has other syslog ids to look out for to trigger action 4 on applet event manager applet Force-InterfaceUP. so far this addition syslog id been making it work.

There do appear to be a couple of cases where the syslog is generated, but the applet commands fail.  I'm not sure why based on the output, and I haven't done enough with ASA EEM to tell you the debug commands to use.  I know on IOS, EEM is limited by the number of VTYs.  It could be similar on ASA if a number of EEM applets try to access the CLI at once.

thank you Joe,

i think i here is the problem with the applets i'm playing with, the time of appearances of each syslog id does not appear in the order it supposed to be.  here is an example (the bolded time):

event manager applet Force-InterfaceDown, hits 57, last 2017/02/22 06:33:46
  last file none
  event syslog id 602304, hits 80, last 602304 @ 2017/02/22 06:32:44
  action 1 cli command "config t", hits 57, last 2017/02/22 06:33:44
  action 2 cli command "inter giga1/2", hits 57, last 2017/02/22 06:33:44
  action 3 cli command "shutdown", hits 57, last 2017/02/22 06:33:44
  action 4 cli command "wr mem", hits 57, last 2017/02/22 06:33:44
  action 5 cli command "end", hits 4, last 2017/02/22 06:33:46
  output none
event manager applet Force-InterfaceUp, hits 73, last 2017/02/22 06:33:18
  last file none
  event syslog id 602303, hits 80, last 602303 @ 2017/02/22 06:32:16
   action 1 cli command "config t", hits 73, last 2017/02/22 06:33:16
  action 2 cli command "inter giga1/2", hits 73, last 2017/02/22 06:33:16
  action 3 cli command "no shutdown", hits 73, last 2017/02/22 06:33:16
  action 4 cli command "wr mem", hits 73, last 2017/02/22 06:33:16
  action 5 cli command "end", hits 4, last 2017/02/22 06:33:18
  output none

-------------------------------------

have you ever come across such? kindly advise please...

appreciate any guidance from your side.

herman

thanks again, Joe.  it is working now.  i had to put a watchdog timer in between the applets to allow time for next applet to execute orderly fashion.  its been a week and applets are working how i want it to be.

thanks again.

herman