Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1000
Views
3
Helpful
20
Replies

ASA 5525 event manager

Go to solution
sergei-bilan
Level 1
Level 1

‎12-19-2023 06:26 AM

Hi team, maybe who help me)

I have ASA 5525. I want to write in the event manager if the ping is not successful (Success rate is 0 percent), then you need to execute clear crypto ikev2 sa "x.x.x.x" Check available IP once every 3-5 minutes. Maybe someone will share the script. Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎12-19-2023 09:22 AM

Glad issue is solved 

Happy ending 

But why two you can use frequent to config time between each sla monitor and use one EEM to detect ID of track. 

Anyway it solved in end 

Have a nice day

MHM

 

View solution in original post

0 Helpful
20 Replies 20

Go to solution
MHM Cisco World
VIP
VIP

‎12-19-2023 06:35 AM

You face issue with child SA?

If yes then I will check how you can use EEM with fialed icmp

Until that time check this command maybe it can help you

Crypto ikev2 notify invalid-selector 

MHM

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2023 06:44 AM

I faced the problem that in the EM script I cannot specify that if the result of the ping Success rate is 0 percent (0/5) then it is necessary to perform such and such an action

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sergei-bilan

‎12-19-2023 06:53 AM

I Know exactly what you face the ikev2 tunnel up but traffic not pass.

This case because one side initiator and other is respond only' so we clear ikev2 to make them work again.

We can use above command to make one side notify other about missing or invalid SA.

MHM

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2023 07:00 AM

I want to ping the other side of the tunnel and if that fails clear the crypto session but I don't know exactly how to script

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎12-19-2023 06:47 AM

For EEM 

event manager applet IPSecICMP
 event syslog id  302021
 action .....

The log message 6-302021 is tewrdown of ICMP connect.

I am not sure if it work but try it

MHM

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2023 06:55 AM

 

event manager applet configuration commands:
action Configure an action to occur when this applet is triggered
default Set a command to its defaults
description Configure the applet description
event Configure an event for the event manager applet
help Help for event manager applet submode command
no Negate a command or set its defaults
output Configure output destinations for CLI commands

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sergei-bilan

‎12-19-2023 07:07 AM

event manager applet name

Add name then you will enter to event mode' 

Select suslog message ID and then action.

MHM

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2023 07:33 AM - edited ‎12-19-2023 07:33 AM 

There is no ip sla in asa 5525 and I do not see in the logs that I am pinging.
0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2023 06:51 AM

I want to write something like this:

event manager applet tunnelHealth

event timer watchdog time 60

action 1 cli command "ping 8.8.8.8"

action 2 regexp "Success rate is ([0-9]+) percent" "$_cli_result" match percent or Success rate is 0 percent (0/5)

action 3 cli command "enable"
action 4 cli command "clear crypto ikev2 sa 8.8.8.8"

Go to solution
MHM Cisco World
VIP
VIP
In response to sergei-bilan

‎12-19-2023 06:58 AM

This for IOS and IOS XE but asa EEM is so limited.

So check log you receive from icmp failed and try use it in EEM

MHM

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2023 07:10 AM

Maybe it's possible to create an IP SLA and bind the event manager to it somehow?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sergei-bilan

‎12-19-2023 07:13 AM

One time months ago I use workaround' by using sla monitor for track and use track to add remove route' then detect syslog of add remove route to take action.

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-19-2023 07:51 AM

Finally I found something you can use 

sla monitor 123
 type echo protocol ipIcmpEcho 209.165.200.225 interface outside
 num-packets 3
 frequency 10

sla monitor schedule 123 life forever start-time now

track 1 rtr 123 reachability

route outside 209.165.200.225 255.255.255.0 203.0.113.254 1 track 1

event manager applet PREEMPT
 event syslog id 622001 occurs 2
 action 1 cli command "clear crypto ipsec sa peer 209.165.101.1"
 output none

Modify it if you want or try it after change IP then modify it

Goodluck friend 

MHM

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎12-19-2023 08:18 AM

It turned out like this for me. If i ping my ip and unsuccessfully i have massadge in my syslog Dec 19 2023 18:01:10: %ASA-2-106016: Deny IP spoof from

My script looks like this:

event manager applet tunnelHealth
event syslog id 106016
event timer watchdog time 60
action 1 cli command "enable"
action 2 cli command "ping x.x.x.x"
action 3 cli command "clear crypto ikev2 sa x.x.x.x"
output console

 

Customers Also Viewed These Support Documents