cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6595
Views
25
Helpful
8
Replies

EEM - SSH to ASA and issue commands?

Justin Kurynny
Level 4
Level 4

Hi all.

I'm using EEM running on a 3750 running 12.2(55)SEE9 to monitor up/down status of a server. If the server goes down (icmp-echo ipsla fails), I'd like to SSH into an ASA running 9.1(5) and issue a change to the NAT configuration so that the outside global NAT points to a different (still up) server.

The issue is that when the EEM applet executes, it hangs after logging in.

If this post provides any clues, it seems to have something to do with the ASA handles non-interactive SSH input: http://blog.ipspace.net/2008/01/telnetssh-session-cannot-be-started.html

Specifically, it seems that EEM isn't able to successfully pass a newline/carriage return with the action cli command, e.g.:

action 1.0 cli command "enable" pattern "#"

action 2.0 cli command "ssh -l admin <ASA-IP>" pattern "word:"

action 3.0 cli command "Cisco123" pattern "#"

action 4.0 cli command "enable" pattern "#"

action 5.0 cli command "no nat ... " etc.

 

In this example, I get through the password and then EEM hangs on "enable"

I've tried passing the newline character along with the command (I've tried both \012 and \x0a) and in neither case does the ASA seem to take it.

Running an EEM applet to SSH into any other IOS switch or router doesn't give me issues. It's only when I try to log into the ASA.

 

Does anyone know of a way to get SSH to work with an ASA through EEM?

 

Thanks!

Justin

1 Accepted Solution

Accepted Solutions

rsharmad
Level 1
Level 1
ssh -l admin 192.168.59.12 "you command" Here is my script for home cisco: event manager applet remote event none action 1.0 cli command "ssh -l admin 192.168.59.12 "clear int dot11radio 0"" pattern "word:" action 1.2 cli command "superpassword" pattern "#"

View solution in original post

8 Replies 8

rsharmad
Level 1
Level 1
ssh -l admin 192.168.59.12 "you command" Here is my script for home cisco: event manager applet remote event none action 1.0 cli command "ssh -l admin 192.168.59.12 "clear int dot11radio 0"" pattern "word:" action 1.2 cli command "superpassword" pattern "#"

rsharmad,

Thanks for posting. Your syntax made me look more closely at the reference post and I finally see how the example is passing the entire command string in as a parameter with the ssh command (after the username and host).

Unfortunately, the way you use quotes doesn't work in my version of EEM (3.2), as the CLI thinks that the second quote is a closure for the first instead of treating the two sets of quotes as inner and outer.

I was able to solve this issue by creating an environment variable for the quote mark and then using that on the ssh command, like this:

event manager environment quote "

event manager applet ASASSH

 event none

 action 1.0 cli command "ssh -l admin 192.168.1.1 $quote clear arp $quote" pattern "word:"

 action 2.0 cli command "superpassword" pattern "#"

 

This worked for me. Thanks for posting!

 

I would like to do like you but running more than one command in the remote device : conf t, interface xxx, shutdown.

Is it possible or I can just do one command with your solution?

Hey Jeremy,

This is an older thread, so my recall may be inaccurate, but I believe you can pass '\n' (no quotes) into the command string to separate commands onto newlines.

Justin

Hi Justin,

thanks for your quick reply. It's an old thread but the problem is still true.

You mean that for example ? :

 action 1.0 cli command "ssh -l admin 192.168.1.1 $quote conf t \n int do0 \n shut $quote" pattern "word:"

 action 2.0 cli command "superpassword" pattern "#"

Just another question, why do you create an environment variable named quote and you use $quote in the example? 

I can just try this in one week. I'll tell here if it works.

Thanks in advance,

Jeremy,

You'll have to play with it, but yes, along those lines.

I explained in an earlier post why I had to create a variable for quote. Look at that for an explanation.

Would like to hear how it goes. Please report back. Good luck!

Justin

So thank you very much - your workaround worked a treat!

I don't know how these cmds work when there is zero visibility into the ssh session from EEM, but they do indeed work

Hi ya,

Im trying to do similar on newer device ISR 4331 EEM, SSH'ing into a ASA on a Fpr2110

I can see m to get the SSH command to be excuted, its like I can get it to "hit enter"
Only \012 works, but it break on the ISR4331 config, so its likely not to survive a reload.

 

Can you please post you multi cli command EEM script, for inspiration, and maybe even explain why I cant get it to hit enter on the SSH piped command at the ASA?

EEM version is 4.0, ISR4331 runs 16.9.4

I verify using "debug event manager action cli " on ISR

 

ASA runs Version 9.9(2)80, multi context

(One tip was to configure SSH Key-exchange in the admin context inorder toeven get SSH running!!)

 I tried both multi line Action EEM, and single line SSH "cli command" with same results ...

 

thanks for any input you may provide

Review Cisco Networking for a $25 gift card