Solved: EEM to Shut and No Shut Interface

davidhuynh5 · ‎05-23-2011

I'm trying to go into fa0/0 and perform a shut/no shut, but it does not work. What am I missing. Thanks in adance.

ms-r1#sh run | b event
event manager applet sa27_bandaid
event track 1 state down
action 1.5 syslog msg "sa27-r1 locked up again"
action 2 cli command "conf t"
action 3 cli command "interface fa0/0"
action 4 cli command "shutdown"
action 5 syslog msg "shutdown sa27-r1 bandaid"
action 6 cli command "no shutdown"
action 7 syslog msg "no shutdown sa27-r1 bandaid"
action 8 cli command "end"

Joe Clarke · ‎05-24-2011

You don't need a password. Just configure:

event manager session cli username twdadmin

You should be fine.

View solution in original post

Joe Clarke · ‎05-24-2011

Sorry, I missed that you had the command configured.

The username twdadmin must not be properly authorized from the AAA system. Are you using external AAA that is not properly authorizing the twdadmin user to execute the "enable" command? What if you login as this user manually? Are you able to enter enable mode?

View solution in original post

Martin Ermel · ‎05-23-2011

I am not that familiar with EEM but at least the following command is missing:

action 1.9 cli command "enable"

also if you are using AAA command authorization you need the following line (where your-USER is a user which is allowed to run all the commands you use in the applet):
event manager session cli username your-USER

perhaps debugging eem gives you more hints (e.g. "debug event manager cli")

Joe Clarke · ‎05-23-2011

Spot-on. The applet is missing a CLI action to enable itself. Beyond that (and the point about AAA authorization), the debug output would be helpful, but the command is "debug event manager action cli".

davidhuynh5 · ‎05-23-2011

Running the "debug event manager action cli" did not yeild anything useful.

All I want to do is perform a shutdown, then a no shutdown on interface fa0/0 when an IP address is not reachable.

When I run the commands action 1.0 - 5.0 the interface fa0/0 shutdowns properly.

When I run the commands action 1.0 - 7.0, nothing happens. Thanks in advance.

event manager applet sa27_bandaid
event track 1 state down
action 1.0 cli command "enable"
action 1.5 syslog msg "sa27-r1 locked up again"
action 2.0 cli command "conf t"
action 3.0 cli command "interface fa0/0"
action 4.0 cli command "shutdown"
action 5.0 syslog msg "shutdown sa27-r1 bandaid"

action 6.0 cli command "no shutdown"
action 6.5 syslog msg "no shutdown sa27-r1 bandaid"
action 7.0 cli command "end"

Joe Clarke · ‎05-23-2011

It may be due to the fact that there is no delay between executions. What version of IOS is this?

davidhuynh5 · ‎05-23-2011

ms-r1#sh ver

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(11)T, RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Sun 19-Nov-06 01:10 by prod_rel_team

Joe Clarke · ‎05-23-2011

Try this:

event manager applet sa27_bandaid
event track 1 state down
action 1.0 cli command "enable"
action 1.5 syslog msg "sa27-r1 locked up again"
action 2.0 cli command "conf t"
action 3.0 cli command "interface fa0/0"
action 4.0 cli command "shutdown"
action 5.0 syslog msg "shutdown sa27-r1 bandaid"

action 5.1 cli command "end"

action 5.2 cli command "config t"

action 5.3 cli command "interface fa0/0"

action 6.0 cli command "no shutdown"
action 6.5 syslog msg "no shutdown sa27-r1 bandaid"
action 7.0 cli command "end"

davidhuynh5 · ‎05-23-2011

I found out why it won't run. Apparently EEM can't go into enable mode bc of TACACS. Degugging shows "authorization failure". Is there a way around this? or an action that can be performed in EEM? Thanks.

Joe Clarke · ‎05-23-2011

Martin mentioned this in his first reply. You need to configure:

event manager session cli username USER

Where USER is a username authorized to run all of the CLI commands in your EEM policies. The reason I didn't resuggest this earlier is that you said the applet worked when you just ran a few of the CLI commands (without the no shut).

davidhuynh5 · ‎05-24-2011

I’ve got an ipsla and eem applet to run some routines on a router. The script runs fine without tacacs enabled, but when tacacs is enable, the routine fails. When I run a “debug event manager action cli” here’s what I see in RED. It looks to be an authorization failure. Am i missing a line that has the password? Thanks.

hostname ms-3722d-man-r1

!

username twdadmin privilege 15 password 7 03104C0F070B2C4540

!

event manager session cli username "twdadmin"

event manager applet sa27_fix1

event track 1 state down

action 1.0 cli command "enable"

action 1.5 syslog msg "sa27-r1 t3 locked up again"

action 2.0 cli command "conf t"

action 3.0 cli command "interface s6/1/0"

action 4.0 cli command "shutdown"

action 5.0 syslog msg "shutdown sa27-r1 t3 interface"

action 5.1 cli command "end"

!

event manager applet sa27_fix2

event syslog pattern "Interface Serial6/1/0, changed state to administratively down"

action 1.0 cli command "enable"

action 1.5 cli command "config t"

action 2.0 cli command "interface s6/1/0"

action 2.5 cli command "no shutdown"

action 3.0 syslog msg "no shutdown sa27-r1 t3 interface"

action 3.5 cli command "end"

!

end

ms-3722d-man-r1#sh log

[snip]

Log Buffer (8192 bytes):

May 24 17:39:16: %TRACKING-5-STATE: 1 rtr 1 reachability Up->Down

May 24 17:39:16: %HA_EM-6-LOG: sa27_fix1 : DEBUG(cli_lib) : : CTL : cli_open called.

May 24 17:39:16: %HA_EM-6-LOG: sa27_fix1 : DEBUG(cli_lib) : : OUT : ****************************** WARNING NOTICE ***********************************