Cisco ASA EEM Script to enable/disable interface

SHABEEB KUNHIPOCKER · ‎09-18-2023

Hello,

Please find the below diagram

We have a requirement to shutdown the outside interface of our VPN when the server (192.168.255.1) is not reachable. Basically we are trying to terminate the VPN tunnels when the CORE switch goes down or the server goes down. Obviously the interface should be enabled when the server becomes reachable. I tried to use the below EEM scripts but it does not seem to work properly. Please advise.

track 1 rtr 1 reachability

!

sla monitor 1
type echo protocol ipIcmpEcho 192.168.255.1 interface inside
num-packets 8
sla monitor schedule 1 life forever start-time now

!

route inside 192.168.255.1 255.255.255.255 172.24.255.18 1 track 1

event manager applet CORE-DOWN
description Core Link Down
event syslog id 622001
action 1 cli command "conf t"
action 2 cli command "interface g0/0"
action 3 cli command "shutdown"
action 4 cli command "wr mem"
output none
event manager applet CORE-UP
description DC1 Core UP
event syslog id 622001 occurs 2
action 1 cli command "conf t"
action 2 cli command "interface g0/0"
action 3 cli command "no shutdown"
action 4 cli command "wr mem"
output none

Thanks

Shabeeb

balaji.bandi · ‎09-18-2023

If you are looking based ip sla and EEM script should trigger you should track the sla and do the action (rather event syslog id)

example :

event manager applet CORE-DOWN
description Core Link Down

event track 1 state down

----

---

check theLogs and statistics :

#show ip sla statistics

also look debug why its failing :

#debug event manager action cli

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SHABEEB KUNHIPOCKER · ‎09-18-2023

Hello,

Thanks a lot for your response. But Cisco ASA does not support event track command. It supports only event syslog id command.

balaji.bandi · ‎09-18-2023

apolgies - so what Logs you see - can you post the logs

event syslog id 622001 - what logs you see on ASA that time if the ping loss to servers

622001

Error Message %ASA-6-622001: string tracked route network mask address , distance number , table string , on interface interface-name

Explanation A tracked route has been added to or removed from a routing table, which means that the state of the tracked object has changed from up or down.

string —Adding or Removing
network —The network address
mask —The network mask
address —The gateway address
number —The route administrative distance
string —The routing table name
interface-name —The interface name as specified by the nameif command

depends the code check what ip sla results and also check event logs :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/monitor-eem.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SHABEEB KUNHIPOCKER · ‎09-20-2023

Hello,

Apologies for the late response. The logs shown in the firewall are as below.

%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface inside%ASA-6-622001: Removing tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, MV2-VPNASA# inside%ASA-6-622001: Adding tracked route 192.168.255.1 255.255.255.255 172.24.255.18, distance 1, table default, on interface

As you can see when the route is added and removed, the same syslog ID is generated. My expectation of using "event syslog ID occurs 2" in the second script is that it will run every second time the syslog ID is generated. For example when the tracker goes down I expect only "CORE-DOWN" script to run and when the tracker comes up again I expect both the scripts to run in order "CORE-DOWN" first and "CORE-UP" after that.

But what I can see is that when the tracker comes back, the last script ran is "CORE-DOWN" which basically shuts down the G0/0 interface, which is against the requirement. Please check and advise.

balaji.bandi · ‎09-20-2023

Sure thats defeat the purpose of the EEM Script.

on you log the removing adding happening so frequent is this testing time ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SHABEEB KUNHIPOCKER · ‎09-20-2023

Sorry, I did not understand your question.

SHABEEB KUNHIPOCKER · ‎09-25-2023

Any other thoughts guys?