09-18-2023 12:18 AM
Hello,
Please find the below diagram
We have a requirement to shutdown the outside interface of our VPN when the server (192.168.255.1) is not reachable. Basically we are trying to terminate the VPN tunnels when the CORE switch goes down or the server goes down. Obviously the interface should be enabled when the server becomes reachable. I tried to use the below EEM scripts but it does not seem to work properly. Please advise.
track 1 rtr 1 reachability
!
sla monitor 1
type echo protocol ipIcmpEcho 192.168.255.1 interface inside
num-packets 8
sla monitor schedule 1 life forever start-time now
!
route inside 192.168.255.1 255.255.255.255 172.24.255.18 1 track 1
event manager applet CORE-DOWN
description Core Link Down
event syslog id 622001
action 1 cli command "conf t"
action 2 cli command "interface g0/0"
action 3 cli command "shutdown"
action 4 cli command "wr mem"
output none
event manager applet CORE-UP
description DC1 Core UP
event syslog id 622001 occurs 2
action 1 cli command "conf t"
action 2 cli command "interface g0/0"
action 3 cli command "no shutdown"
action 4 cli command "wr mem"
output none
Thanks
Shabeeb
09-18-2023 05:12 AM
If you are looking based ip sla and EEM script should trigger you should track the sla and do the action (rather event syslog id)
example :
event manager applet CORE-DOWN
description Core Link Down
event track 1 state down
----
---
check theLogs and statistics :
#show ip sla statistics
also look debug why its failing :
#debug event manager action cli
09-18-2023 05:57 AM
Hello,
Thanks a lot for your response. But Cisco ASA does not support event track command. It supports only event syslog id command.
09-18-2023 07:32 AM
apolgies - so what Logs you see - can you post the logs
event syslog id 622001 - what logs you see on ASA that time if the ping loss to servers
Error Message %ASA-6-622001:
string tracked route network mask address , distance number , table string , on interface interface-name
Explanation A tracked route has been added to or removed from a routing table, which means that the state of the tracked object has changed from up or down.
depends the code check what ip sla results and also check event logs :
09-20-2023 07:53 AM - edited 09-20-2023 07:54 AM
Hello,
Apologies for the late response. The logs shown in the firewall are as below.
%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, MV2-VPNASA# inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface
As you can see when the route is added and removed, the same syslog ID is generated. My expectation of using "event syslog ID occurs 2" in the second script is that it will run every second time the syslog ID is generated. For example when the tracker goes down I expect only "CORE-DOWN" script to run and when the tracker comes up again I expect both the scripts to run in order "CORE-DOWN" first and "CORE-UP" after that.
But what I can see is that when the tracker comes back, the last script ran is "CORE-DOWN" which basically shuts down the G0/0 interface, which is against the requirement. Please check and advise.
09-20-2023 08:38 AM
Sure thats defeat the purpose of the EEM Script.
on you log the removing adding happening so frequent is this testing time ?
09-20-2023 12:56 PM
Sorry, I did not understand your question.
09-25-2023 02:58 PM
Any other thoughts guys?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide