EMM script to apply command based on ping result

Richard Tapp · ‎02-18-2025

I have a DMVPN router behind a 5g router ( temp solution ) and over night it loses connection to our DC.

Currently I have to wait for someone to be onsite to gain console access to do the following command

int g0/0/1

no zone security Hostile

zone security Hostile

and this brings the DMVPN back up.

So I would like to use an EMM script to do these commands based on a ping failure to the DC.

This is where I am so far with it, its thes bit in the middle I need some help with.

How do I tell it when there is a ping failure to apply the commands ?

event manager applet PING_DC
event timer watchdog time 120
action 1.0 cli command "enable"
action 2.0 cli command "ping 10.208.x.x source loop0 repeat 5"

Need to work out how if there is a ping failure above to apply the commands below

action 6.0 cli command "conf t"
action 7.0 cli command "interface g0/0/1"
action 8.0 cli command "no zone sec Hostile"
action 8.2 cli command "zone sec Hostile"
action 9.0 cli command "end"
action 9.1 end

liviu.gheorghe · ‎02-18-2025

Hello @Richard Tapp ,

you could use IP SLA to do this:

ip sla 1
icmp-echo 10.208.x.x source-interface loop0
ip sla schedule 1 life forever start-time now

event manager applet PING_DC
event syslog pattern "ip sla 1 reachability Up->Down"

action 1.0 cli command "enable"

action 2.0 cli command "conf t"
action 3.0 cli command "interface g0/0/1"
action 4.0 cli command "no zone sec Hostile"
action 4.2 cli command "zone sec Hostile"
action 9.0 cli command "end"
action 9.1 end

HTH

Regards, LG
*** Please Rate All Helpful Responses ***

Richard Tapp · ‎02-20-2025

Trying the SLA one now

vishalbhandari · ‎02-18-2025

@Richard Tapp You can modify your EEM script to check the success or failure of the ping and apply the necessary commands when the ping fails. Use the regexp action to check for "Success rate is 0 percent" in the ping output. Here's how you can do it:

event manager applet PING_DC

event timer watchdog time 120

action 1.0 cli command "enable"

action 2.0 cli command "ping 10.208.x.x source loop0 repeat 5" pattern "Success rate is"

action 3.0 regexp "Success rate is 0 percent" "$_cli_result" result match

action 4.0 if $match eq "1"

action 5.0 cli command "conf t"

action 6.0 cli command "interface g0/0/1"

action 7.0 cli command "no zone security Hostile"

action 8.0 cli command "zone security Hostile"

action 9.0 cli command "end"

action 10.0 syslog msg "DMVPN interface reset due to ping failure"

action 11.0 end

This script runs every 120 seconds, pings the DC, and checks if the success rate is 0%. If the ping fails, it resets the security zone on the interface. Let me know if you need further adjustments!

Richard Tapp · ‎02-20-2025

This one did not seem to work.

liviu.gheorghe · ‎02-20-2025

Try using IP SLA. I used it before and it works.

Regards, LG
*** Please Rate All Helpful Responses ***

MHM Cisco World · ‎02-20-2025

Follow @liviu.gheorghe suggestion it correct and work but with little change

1- event is track up/down

2- you need two eem one when track of ip sla is up and other when it down' for action add according to your requirements. <<- after check you can use only one EEM.

MHM

paul driver · ‎02-20-2025

Hello

@Richard Tapp wrote:

int g0/0/1

no zone security Hostile

zone security Hostile

Sounds like your ZBFW cfg isnt correct, if you need to do this as/when the spoke rtr loses its NBMA connectivity, it suggest the initial nhrp registration isnt being allowed through but when the dmvpn spoke does eventually registrar its then okay and the only way of do that at present is removing the spoke from its security interface

Just to confirm - are you allowing all the necessary isakmp,gre/esp traffic

As for the eem scripting, try the following:

ip sla 10
icmp-echo <hub nbma ip >source-IP <spoke nbma ip>
timeout 200
frequency 5
ip sla schedule 10 life forever start-time now

track 10 rtr 10 reachability

event manager applet GIG0/1-DOWN
event track 1 state down
action 5.0 cli command "enable"
action 5.1 cli command "clear ip nhrp"
action 5.2 cli command "conf t"
action 5.3 cli command "interface GigabitEthernet0/1"
action 5.4 cli command "no zone security Hostile"
action 5.5 cli command "zone security Hostile"
action 5.5 cli command "end"

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Richard Tapp · ‎02-26-2025

So I tried most of the thing above and could not get it to work.

The issue happens over night, as DMVPN drops due to no traffic and it is an issue 1st thing in the morning.

I now seem to have it working with a CRON timer. Its only a temp solution until we get the fixedline into the new office, so dont mind it being a bit of a bodge

I have set 6 scripts in total in pairs, the first of each pair removes the line 'zone security Hostile' and a minute later the next of the pair puts it back in, with a syslog message.

Basically it runs at 0700, 0800 & 0850, to make sure it is up when staff arrive at the office.