ā02-27-2012 11:01 PM
Hello !
There is an Access Server and other devices connected to it via reverse telnet (console cables from access server).
I want to execute TCL command on the Access Server that would run TCL script on the router.
I think the way to achieve this is a TCL script with a send command from the Access Server. The problem is to put that "send" command in the TCL script , because we need to press Ctrl+z at the end (when we want to execute that send command).
Is this possible?
Solved! Go to Solution.
ā03-13-2012 12:12 AM
Hello Joseph.
1. Really my device name (hostname ) is "AccessServer" . We have Cisco 2811 router and we are using it just for reverse telnet connection to the other devices.
Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3).
2. Yes there is a banner too wih login prompt, but just on 2811 router, not on the other devices.
banner login ^C
*********************************************************
banner text
*********************************************************
^C
3. Very short info from "debug event manager tcl cli" command :
AccessServer#debug event manager tcl cli
Debug EEM Tcl CLI library debugging is on
AccessServer#event manager run EEM.tcl
*Mar 13 07:16:34.172: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : CTL : cli_open called.error reading the first prompt: Process Forced Exit
while executing
"my_cli_open"
invoked from within
"$slave eval $Contents"
(procedure "eval_script" line 7)
invoked from within
"eval_script slave $scriptname"
invoked from within
"if {$security_level == 1} { #untrusted script
interp create -safe slave
interp share {} stdin slave
interp share {} stdout slave
..."
(file "tmpsys:/lib/tcl/base.tcl" line 50)
Tcl policy execute failed: error reading the first prompt: Process Forced Exit
Tcl policy execute failed: error reading the first prompt: Process Forced Exit
ā03-13-2012 12:35 AM
What is the actual banner text?
ā03-13-2012 12:44 AM
AccessServer#sh run | b banner
banner login ^C
*********************************************************
* Unauthorized access to this system is forbidden. *
* By accessing this system, you agree that your actions *
* may be monitored if unauthorized usage is suspected. *
* *
*********************************************************
^C
That's it
ā03-13-2012 01:01 AM
I cannot reproduce. The policy works for me with your hostname and banner. Can you post the entire running config from this 2800?
ā03-13-2012 01:09 AM
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname AccessServer
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$OMLP$Gm8p6NqUV/L1r3ja/0KQs1
!
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login nologin none
aaa authorization commands 0 default group tacacs+
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+
!
!
aaa session-id common
clock timezone GMT+2 2
clock summer-time GMT+2 recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip host R1 2066 192.168.83.51
ip host R2 2067 192.168.83.51
ip host R3 2068 192.168.83.51
ip host R4 2069 192.168.83.51
ip host R5 2081 192.168.83.51
ip host R_ISP1 2077 192.168.83.51
ip host R_FR 2079 192.168.83.51
ip host ASW1 2080 192.168.83.51
ip host ASW2 2076 192.168.83.51
ip host CSW1 2070 192.168.83.51
ip host CSW2 2071 192.168.83.51
ip host SW3 2072 192.168.83.51
ip host SW4 2073 192.168.83.51
ip host ASA 2074 192.168.83.51
ip host R6 2078 192.168.83.51
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
!
!
archive
log config
logging enable
logging size 300
notify syslog contenttype plaintext
hidekeys
!
!
!
!
!
!
interface Loopback0
ip address 192.168.83.51 255.255.255.224
!
interface FastEthernet0/0
ip address X.X.X.X 255.255.255.128
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Async1/0
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
!
no ip http server
no ip http secure-server
!
!
menu switch title ^C
**********************************************************
Switch Lab Terminal Server
To exit from a device, use CTRL+SHIFT+6 then press x
**********************************************************
^C
menu switch text R1 Connect to R1 - 1841
menu switch command R1 telnet R5
menu switch text R2 Connect to R2 - 1841
menu switch command R2 telnet R6
menu switch text ASW1 Connect to ASW1 - 2950
menu switch command ASW1 telnet ASW1
menu switch text ASW2 Connect to ASW2 - 2960
menu switch command ASW2 telnet ASW2
menu switch text DSW1 Connect to DSW1 - 3750
menu switch command DSW1 telnet SW3
menu switch text DSW2 Connect to DSW2 - 3750
menu switch command DSW2 telnet SW4
menu switch text CSW1 Connect to CSW1 - 3750
menu switch command CSW1 telnet CSW1
menu switch text CSW2 Connect to CSW2 - 3750
menu switch command CSW2 telnet CSW2
menu switch text c
menu switch text q Quit terminal server session
menu switch command q exit
menu switch command e menu-exit
menu switch command cR1 cR5
menu switch command cR2 cR6
menu switch command cASW1 cASW1
menu switch command cASW2 cASW2
menu switch command cDSW1 cSW3
menu switch command cDSW2 cSW4
menu switch command cCSW1 cCSW1
menu switch command cCSW2 cCSW2
menu switch clear-screen
menu switch line-mode
!
!
tacacs-server host xxxxxx.xxxx.xxxx.xxxx
tacacs-server key 7 xxxxxx
!
control-plane
!
!
!
!
!
!
!
!
banner login ^C
*********************************************************
* Unauthorized access to this system is forbidden. *
* By accessing this system, you agree that your actions *
* may be monitored if unauthorized usage is suspected. *
* *
*********************************************************
^C
alias exec cSW3 clear line 72
alias exec cSW4 clear line 73
alias exec cR1 clear line 66
alias exec cR2 clear line 67
alias exec cR3 clear line 68
alias exec cR4 clear line 69
alias exec cR5 clear line 81
alias exec q logout
alias exec c conf t
alias exec cASA clear line 79
alias exec 1 menu switch
alias exec cASW1 clear line 80
alias exec cASW2 clear line 76
alias exec cR6 clear line 78
alias exec cCSW2 clear line 71
alias exec cCSW1 clear line 70
privilege exec level 0 connect
privilege exec level 0 telnet
privilege exec level 0 menu
privilege exec level 0 resume
privilege exec level 0 clear line
privilege exec level 0 clear
!
line con 0
line aux 0
line 1/0 1/31
session-timeout 2
exec-timeout 0 20
privilege level 15
logging synchronous
login authentication nologin
no exec
transport input telnet
transport output none
stopbits 1
flowcontrol hardware
line vty 0 4
exec-timeout 30 0
logging synchronous
autocommand menu switch
line vty 5 15
exec-timeout 30 0
logging synchronous
!
scheduler allocate 20000 1000
!
event manager directory user policy "flash:/"
event manager directory user library "flash:/"
event manager policy EEM.tcl
!
end
event manager directory user library "flash:/"
( I removed this command from the config now, but I get the same error anyway)
ā03-13-2012 11:52 AM
Ah, that's the problem! It's your menu. You need to remove the menu from at leats the first VTY line. For example, try this:
line vty 0
transport input none
no autocommand menu switch
ā03-14-2012 01:17 AM
Thank you Joseph for your time!
But there is a same problem for me I will try this EEM TCL script on 2511 router today, maybe results will be different...
Can show me, exactly which commands you put in there?:
array set cli [my_cli_open]
my_cli_exec $cli(fd) "enable"
cli_write $cli(fd) "send tty 11\r"
cli_read_pattern $cli(fd) "Enter message"
cli_write $cli(fd) "This is a test\r "
cli_read_pattern $cli(fd) "Send message"
my_cli_exec $cli(fd) "\r"
cli_close $cli(fd) $cli(tty_id)
ā03-14-2012 08:16 AM
You have to make sure line vty 0 is free. Once you make the config changes, clear the line to make sure it is free so EEM can occupy it.
If you are going to move the script, move the whole script. Don't extract individual pieces of code. Copy the whole no_send_msg.tcl script to your new router. Note: this script requires EEM 2.1 or higher so you're looking at 12.3(14)T or higher. I do not think you can run that on a 2511.
ā03-14-2012 10:02 AM
Hello. I think there is something wrong with a script that I try to execute:
AccessServer#sh line vty 0
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
514 514 VTY - - - - - 0 0 0/0 -
Line 514, Location: "", Type: ""
Length: 24 lines, Width: 80 columns
Baud rate (TX/RX) is 9600/9600
Status: No Exit Banner
Capabilities: none
Modem state: Idle
Special Chars: Escape Hold Stop Start Disconnect Activation
^^x none - - none
Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch
00:30:00 never none not set
Idle Session Disconnect Warning
never
Login-sequence User Response
00:00:30
Autoselect Initial Wait
not set
Modem type is unknown.
Session limit is not set.
Time since activation: never
Editing is enabled.
History is enabled, history size is 20.
DNS resolution in show commands is enabled
Full user help is disabled
Allowed input transports are none.
Allowed output transports are pad telnet rlogin lapb-ta mop v120 ssh.
Preferred transport is telnet.
No output characters are padded
No special data dispatching characters
AccessServer#sh line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
514 514 VTY - - - - - 0 0 0/0 -
* 515 515 VTY - - - - - 2 0 0/0 -
516 516 VTY - - - - - 0 0 0/0 -
517 517 VTY - - - - - 0 0 0/0 -
518 518 VTY - - - - - 0 0 0/0 -
AccessServer#sh users
Line User Host(s) Idle Location
*515 vty 1 cisco idle 00:00:00 X>X>X>X
Interface User Mode Idle Peer Address
AccessServer#sh run | b even
event manager directory user policy "flash:/"
event manager policy EEM.tcl
!
end
AccessServer(config)#no event manager policy EEM.tcl
AccessServer#delete flash:EEM.tcl
Delete filename [EEM.tcl]?
Delete flash:EEM.tcl? [confirm]
AccessServer#copy tftp://X>X>X>X/EEM.tcl flash:
Destination filename [EEM.tcl]?
Accessing tftp://X>X>X>X/EEM.tcl...
Loading EEM.tcl from X>X>X>X (via FastEthernet0/0): !
[OK - 4603 bytes]
AccessServer(config)#event manager policy EEM.tcl
AccessServer#event manager run EEM.tcl
Process Forced Exit
while executing
"continue"
(procedure "cli_read_pattern" line 12)
invoked from within
"cli_read_pattern $cli(fd) "Enter message""
invoked from within
"$slave eval $Contents"
(procedure "eval_script" line 7)
invoked from within
"eval_script slave $scriptname"
invoked from within
"if {$security_level == 1} { #untrusted script
interp create -safe slave
interp share {} stdin slave
interp share {} stdout slave
..."
(file "tmpsys:/lib/tcl/base.tcl" line 50)
Tcl policy execute failed: Process Forced Exit
Tcl policy execute failed: Process Forced Exit
End of Your EEM TCL script (edted by me) looks like this:
array set cli [my_cli_open]
my_cli_exec $cli(fd) "enable"
cli_write $cli(fd) "send tty 70\r"
cli_read_pattern $cli(fd) "Enter message" ( is this row ok? )
cli_write $cli(fd) "show cdp nei\r " ( is this row ok? )
cli_read_pattern $cli(fd) "Send message" ( is this row ok? )
my_cli_exec $cli(fd) "\r"
cli_close $cli(fd) $cli(tty_id)
(because I tried to change these rows, but changes was unsuccessful )
ā03-14-2012 10:27 AM
Post the output of "debug event manager tcl cli". After entering "send tty 70" the required prompt cannot be matched. This could mean there is an error with the command.
ā03-14-2012 10:38 AM
AccessServer#event manager run EEM.tcl
*Mar 14 17:42:22.775: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : CTL : cli_open called.
*Mar 14 17:42:22.927: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : AccessServer>
*Mar 14 17:42:22.927: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : IN : AccessServer>enable
*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : The command 'enable
*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT :
*Mar 14 17:42:23.243: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : OUT : AccessServer>
Process Forced Exit3: %HA_EM-6-LOG: EEM.tcl : DEBUG(cli_lib) : IN : AccessServer>send tty 70
while executing
"continue"
(procedure "cli_read_pattern" line 12)
invoked from within
"cli_read_pattern $cli(fd) "Enter message""
invoked from within
"$slave eval $Contents"
(procedure "eval_script" line 7)
invoked from within
"eval_script slave $scriptname"
invoked from within
"if {$security_level == 1} { #untrusted script
interp create -safe slave
interp share {} stdin slave
interp share {} stdout slave
..."
(file "tmpsys:/lib/tcl/base.tcl" line 50)
Tcl policy execute failed: Process Forced Exit
Tcl policy execute failed: Process Forced Exit
_
_
Need I login first ?
I'm using TACACS+ server , I need to login properly to the AccessServer first? I'm using "cisco/cisco" for TACACS+ authentication, and "cisco" as enable secret.
ā03-14-2012 11:39 AM
EEM doesn't do authentication. It only does authorization. Try configuring:
event manager session cli username cisco
Then see if the policy runs.
ā03-14-2012 11:45 AM
OMG! OMG! OMG! It works now! I can't thank you enough dear Joseph!
You help me so much!!!
ā03-17-2012 10:51 AM
Hello Joseph and all the community!
I don't know it is better to create new discussion or ask there, because a question is related with this topic.
As you helped me to send commands via TTY lines , is it possible to send some commands via SSH ?
Login to the specific device and enter some commands automatically?
ā03-17-2012 03:38 PM
This can only work on very new IOS due to bug CSCtc92280 (i.e., it will only work on 15.1(4)T and higher).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide