Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1466
Views
0
Helpful
2
Replies

Cisco ASA - EEM Applet - 'copy' command considered configuration change

thyan0001
Level 1
Level 1

‎01-07-2018 08:22 PM - edited ‎02-21-2020 07:05 AM

I was trying to configure an EEM applet on a Cisco ASA. The applet is meant to copy the running-config to TFTP each time there's a configuration change. I use 'event syslog id 111010' to trigger the applet. Interestingly enough, the CLI command 'copy' I use is considered a config change by the system and triggers that syslog event 111010. This creates a loop and the applet runs forever.

 

%ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://10.4.29.29/asa/vpn-qs-bkr_running.cfg'

 

Any thoughts on why the 'copy' command triggers this event? I didn't think a 'copy' would be considered a config change.

1 person had this problem
0 Helpful
2 Replies 2

robertramsey
Level 1
Level 1

‎04-21-2024 09:24 AM - edited ‎04-21-2024 09:27 AM

Hello,

I'm having a similar problem.  When I use the following syntax, I can't get the ASA to automatically backup the config:

 

event manager applet Config_Backup
 description Backup running-config when changes are made
 event syslog id 111010
 action 1 cli command "copy running-config tftp://192.168.1.10/firewall.cfg"
 output console

 

When I add /noconfirm to the copy command, the system performs the backup but it does go into a forever backup loop.

 

event manager applet Config_Backup
 description Backup running-config when changes are made
 event syslog id 111010
 action 1 cli command "copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg"
 output console

 

The log looks like this when the loop triggers:

 

Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:22 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:23 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:24 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:25 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:26 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'
Apr 21 16:19:27 192.168.1.1 : %ASA-5-111008: User 'eem' executed the 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg' command.
Apr 21 16:19:27 192.168.1.1 : %ASA-5-111010: User 'eem', running 'CLI' from IP 0.0.0.0, executed 'copy /noconfirm running-config tftp://192.168.1.10/firewall.cfg'

 

What did you do to get the backup to work without the looping?

For anyone interested, the 111010 syslog id can be found here:
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslog-messages-101001-to-199021.html#con_8586950

Thanks in advance!

0 Helpful

MHM Cisco World
VIP
VIP
In response to robertramsey

‎04-21-2024 09:46 AM

The eem is use to detect any config add to asa,

The eem itself run command thid indeed can enter to loop,

I was busy I will check issue and update you for two post you share

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card