Re: One Interface needs to be enabled when S2S VPN is up in Cisco ASA Firewall

abdulnisam786@gmail.com · ‎10-03-2017

Hi Team,

I am looking a EEM script to enable one of my ASA Firewall Interface when the S2S VPN is up.

My Cisco FW model is 5525 X.

abdulnisam786@gmail.com · ‎10-04-2017

Can someone please assist to get this

GioGonza · ‎10-05-2017

This is an idea you can test, the main idea is to send icmp traffic through the VPN tunnel. If you don´t reach the host on the remote end, the interface remains down, if you are able to ping you should have the interface up and running:

ip sla 123
icmp-echo 192.168.0.1 source-ip 172.16.0.1
frequency 120
ip sla schedule 123 life forever start-time now
!
track 1 ip sla 123 reachability
delay down 5 up 10
!
event manager applet VPNDown
event track 1 state down
action 1.0 syslog msg "The VPN is down"
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "interface GigabitEthernet 0/0"
action 1.4 cli command "shutdown"
action 1.5 cli command "end"
action 1.6 cli command "write memory"
!
event manager applet VPNUp
event track 1 state up
action 1.0 syslog msg "The VPN is up"
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "interface GigabitEthernet 0/0"
action 1.4 cli command "shutdown"
action 1.5 cli command "end"
action 1.6 cli command "write memory"

I didn´t test this on my Lab since I´m at work :) but you should give it a try.

HTH

Gio