Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
15
Helpful
7
Replies

TCL script to clear crypto sessions at a certain time

Go to solution
ewood2624
Level 5
Level 5

‎06-10-2013 07:48 AM

I'm trying to figure a way to run an automated TCL script to clear the crypto sessions at a certain time of day.  We have a site that is sending strange udp port numbers from the isp and the vpn will not connect properly and clear crypto session resets the vpn and it works fine after that.             

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎06-10-2013 10:43 AM

You don't need Tcl for this.  You can use an EEM applet:

event manager applet clear-crypto

event timer cron cron-entry "0 12 * * *"

action 1.0 cli command "enable"

action 2.0 cli command "clear crypto session"

That would clear the session everyday at 12:00 (noon).

View solution in original post

7 Replies 7

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎06-10-2013 10:43 AM

You don't need Tcl for this.  You can use an EEM applet:

event manager applet clear-crypto

event timer cron cron-entry "0 12 * * *"

action 1.0 cli command "enable"

action 2.0 cli command "clear crypto session"

That would clear the session everyday at 12:00 (noon).

Go to solution
Joe_george
Level 1
Level 1
In response to Joe Clarke

‎06-10-2013 11:31 AM

Is it possible to get the Syslog entry or SNMP trap whenever EEM clears Crypto Session?

0 Helpful

Go to solution
ewood2624
Level 5
Level 5
In response to Joe_george

‎06-10-2013 11:37 AM

I'm waiting for it to kick off so I can get the syslog message.  Can you add wildcards for the syslog pattern?

event manager applet clear-crypto

event syslog pattern ".*CRYPTO.*GigabitEthernet0/1.*"

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to ewood2624

‎06-10-2013 11:39 AM

Sure.  That regular expression there will work just fine.

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to Joe_george

‎06-10-2013 11:39 AM

You can add an action to generate a syslog or SNMP trap:

action 3.0 syslog msg "Crypto sessions were cleared"

or

action 3.0 snmp-trap strdata "Crypto sessions were cleared"

0 Helpful

Go to solution
ewood2624
Level 5
Level 5
In response to Joe Clarke

‎06-10-2013 11:45 AM

When the EEM runs, does it start it's script in the exec or privilaged mode?  I saw that the first line is enable, what would be the syntax for typing the enable password?

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to ewood2624

‎06-10-2013 12:06 PM

You don't need the password.  All that does is enter enable mode for authorization.  Authentication is assumed to have happened because you had to be authenticated to configure the applet.  That applet can work as-is.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents