12-19-2023 06:26 AM
Hi team, maybe who help me)
I have ASA 5525. I want to write in the event manager if the ping is not successful (Success rate is 0 percent), then you need to execute clear crypto ikev2 sa "x.x.x.x" Check available IP once every 3-5 minutes. Maybe someone will share the script. Thank you.
Solved! Go to Solution.
12-19-2023 09:22 AM
Glad issue is solved
Happy ending
But why two you can use frequent to config time between each sla monitor and use one EEM to detect ID of track.
Anyway it solved in end
Have a nice day
MHM
12-19-2023 06:35 AM
You face issue with child SA?
If yes then I will check how you can use EEM with fialed icmp
Until that time check this command maybe it can help you
Crypto ikev2 notify invalid-selector
MHM
12-19-2023 06:44 AM
I faced the problem that in the EM script I cannot specify that if the result of the ping Success rate is 0 percent (0/5) then it is necessary to perform such and such an action
12-19-2023 06:53 AM
I Know exactly what you face the ikev2 tunnel up but traffic not pass.
This case because one side initiator and other is respond only' so we clear ikev2 to make them work again.
We can use above command to make one side notify other about missing or invalid SA.
MHM
12-19-2023 07:00 AM
I want to ping the other side of the tunnel and if that fails clear the crypto session but I don't know exactly how to script
12-19-2023 06:47 AM
For EEM
event manager applet IPSecICMP
event syslog id 302021
action .....
The log message 6-302021 is tewrdown of ICMP connect.
I am not sure if it work but try it
MHM
12-19-2023 06:55 AM
event manager applet configuration commands:
action Configure an action to occur when this applet is triggered
default Set a command to its defaults
description Configure the applet description
event Configure an event for the event manager applet
help Help for event manager applet submode command
no Negate a command or set its defaults
output Configure output destinations for CLI commands
12-19-2023 07:07 AM
event manager applet name
Add name then you will enter to event mode'
Select suslog message ID and then action.
MHM
12-19-2023 07:33 AM - edited 12-19-2023 07:33 AM
There is no ip sla in asa 5525 and I do not see in the logs that I am pinging.
12-19-2023 06:51 AM
I want to write something like this:
event manager applet tunnelHealth
event timer watchdog time 60
action 1 cli command "ping 8.8.8.8"
action 2 regexp "Success rate is ([0-9]+) percent" "$_cli_result" match percent or Success rate is 0 percent (0/5)
action 3 cli command "enable"
action 4 cli command "clear crypto ikev2 sa 8.8.8.8"
12-19-2023 06:58 AM
This for IOS and IOS XE but asa EEM is so limited.
So check log you receive from icmp failed and try use it in EEM
MHM
12-19-2023 07:10 AM
Maybe it's possible to create an IP SLA and bind the event manager to it somehow?
12-19-2023 07:13 AM
One time months ago I use workaround' by using sla monitor for track and use track to add remove route' then detect syslog of add remove route to take action.
MHM
12-19-2023 07:51 AM
Finally I found something you can use
sla monitor 123
type echo protocol ipIcmpEcho 209.165.200.225 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
route outside 209.165.200.225 255.255.255.0 203.0.113.254 1 track 1
event manager applet PREEMPT
event syslog id 622001 occurs 2
action 1 cli command "clear crypto ipsec sa peer 209.165.101.1"
output none
Modify it if you want or try it after change IP then modify it
Goodluck friend
MHM
12-19-2023 08:18 AM
It turned out like this for me. If i ping my ip and unsuccessfully i have massadge in my syslog Dec 19 2023 18:01:10: %ASA-2-106016: Deny IP spoof from
My script looks like this:
event manager applet tunnelHealth
event syslog id 106016
event timer watchdog time 60
action 1 cli command "enable"
action 2 cli command "ping x.x.x.x"
action 3 cli command "clear crypto ikev2 sa x.x.x.x"
output console
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide