ACE - LDAP TCL Script
Hi,
we are using the TCL LDAP_Script as a probe scripted for LDAP server farm. The default script the Cisco provided is sending only an anonymous binding to the LDAP servers, we are trying to modify this script to sned a credential binding with username and password. Anyone done something like that before!
Your contribution is appreciated.
Hadi
Hi Habeel,
I've answered this question before. If you search the forum for "ldap healtcheck script" - and yes the typo is real then you'll see what I did.
The text is here:
The easiest way is to capture a packet with the authentication credentials and then replace the hex bind string in the example.
The alternative is to handcode the BER coded ASN.1 data string - which while more fun is time consuming. The remainder of the script can stay the same.
I've done this on an ACE module. You have to be aware that 300c02010160 in the example script string is a sort of "header" that holds the request id (1). This will be different in your packet capture.
If you look at the decomposition of the example you'll be able to see how it is put together and what you need to change.
0x30 The start of a universal constructed sequence
0x0c The length of the sequence minus the tag and length bytes = 12 bytes
0x02 Next field is an integer
0x01 The length of the next field (1 byte)
0x01 Value (this is the message ID)
0x60 Application, number 0, use RFC2251 to decode. This is a Bind Request
0x07 Length of data to follow.
0x02 Integer
0x01 Length 1
0x03 3 - this is the LDAP version.
0x04 String
0x00 Length 0
0x80 Simple Authentication
0x00 Length 0
Just keep the id the same in the unbind.
The string I use is:
302d02010160280201030418636e3d41636550726f78792c6f3d556e69766572736974798009ffffffffffffffffff
where I've replaced the 9 character password with 9*x'ff'.
The username for binding is AceProxy. If you want to use the same script then create that username and set the password in the string above (in hex). If for example you set the password to Example12 then you need to set the 9*x'ff' to '4578616d706c653132' - which is the hex representation of the ASCII.
Note that if you use fewer or more than 9 characters then you'll need to change other values in the string because they refer to lengths.
HTH
Cathy
Similar Messages
-
Looking for ACE Probe TCL script specific for LDAPS
Hello Everyone,
I have searched the forum, and i am having difficulty finding an example of how to modify the LDAP TCL probe from port 389 to secure LDAP port 636.
Could someone kindly point me or provide me the modified TCL script if you happen to have it.
During my search I also found a config that someone had provided, which contained the following probe:
probe tcp LDAPS_Probe
port 636
probe tcp LDAP_Probe
port 389
I was trying to figure out if this a modified TCL script for LDAP or modifed TCP TCL script specific for port 636.
This is how I applied the script for LDAP port 389.
script file 1 LDAP_PROBE
probe scripted LDAP_PROBE_389
interval 5
passdetect interval 30
receive 5
script LDAP_PROBE
serverfarm host SF-LDAP-389
description SF LDAP Port 389
predictor leastconns
probe LDAP_PROBE_389
rserver LDAP-RS1-389
inservice
I will be more than glad to provide you any additional information that you need.
As always thanks for your input.
Raman Azizian
SAIC/NISN Network servicesnormally you would engage a TCL developer or ciso advanced services to develop a custom script for anything other than what Cisco provides in canned scripts. If you are comfortable with tcl you can do it yourself. Here is an example of the LDAP script modified to include initiation via ssl. default port is 389 when you implement you would specify 636.
#!name = LDAP_PROBE
# Description:
# LDAP_PROBE opens a TCP connection to an LDAP server, sends a bind request. and
# determines whether the bind request succeeds. LDAP_PROBE then closes the
# connection with a TCP RST.
# If a port is specified in the "probe scripted" configuration, the script probes
# each suspect on that port. If no port is specified, the default LDAP port 389
# is used.
# Success:
# The script succeeds if the server returns a bind response indicating success
# (status code 0x0a0100) to the bind request.
# The script closes the TCP connection with a RST following a successful attempt.
# Failure:
# The script fails due to timeout if the response is not returned. This
# includes a failure to receive ARP resolution, a failure to create a TCP connection
# to the port, or a failure to return a response to the LDAP bind request.
# The script also fails if the server bind response does not indicate success.
# This specific error returns the 30002 error code.
# The script closes any attempted TCP connection, successful or not, with a RST.
# PLEASE NOTE: This script expects the server LDAP bind response to specify length
# in ASN.1 short definite form. Responses using other length forms (e.g., long
# definite length form) will require script modification to achieve success.
# SCRIPT version: 1.0 April 1, 2008
# Parameters:
# [DEBUG]
# username - user login name
# password - password
# DEBUG - optional key word 'DEBUG'. default is off
# Do not enable this flag while multiple probe suspects are configured for this
# script.
# Example config :
# probe scripted USE_LDAP_PROBE
# script LDAP_PROBE
# Values configured in the "probe scripted" configuration populate the
# scriptprobe_env array. These may be accessed or manipulated if desired.
# Documentation:
# A detailed discussion of the use of scripts on the ACE is included in
# "Using Toolkit Command Language (TCL) Scripts with the ACE"
# in the "Load-Balancing Configuration Guide" section of the ACE documentation set.
# Copyright (c) 2005-2008 by Cisco Systems, Inc.
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
proc ace_debug { msg } {
global debug ip port EXIT_MSG
set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
# main
# parse cmd line args and initialize variables
## set debug value
set debug 0
if { [ regsub -nocase "DEBUG" $argv "" argv] } {
set debug 1
ace_debug "initializing variable"
set EXIT_MSG "Error config: script LDAP_PROBE \[DEBUG\]"
set ip $scriptprobe_env(realIP)
set port $scriptprobe_env(realPort)
# if port is zero the use well known ldap port 389
if { $port == 0 } {
set port 389
# PROBE START
# open connection
ace_debug "opening socket"
set sock [ socket -sslversion all -sslcipher RSA_WITH_RC4_128_MD5 $ip $port ]
fconfigure $sock -buffering line -translation binary
# send a standard anonymous bind request
ace_debug "sending ldap bind request"
puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
flush $sock
# read string back from server
ace_debug "receiving ldap bind result"
set line [read $sock 14]
binary scan $line H* res
binary scan $line @7H6 code
ace_debug "received $res with code $code"
# close connection
ace_debug "closing socket"
close $sock
# make probe fail by exit with 30002 if ldap reply code != success code 0x0a0100
if { $code != "0a0100" } {
ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
exit 30002
## make probe success by exit with 30001
ace_debug "probe success"
exit 30001 -
Cisco's Network Registrar and LDAP (tcl script)
Hi all,
I use CNR version 7.1. I use ldap for authentication user. I have a problem if ldap server not available. I want with tcl script to know what ldap not available and send to user default configuration (ip,dns)
How I can transfer in tcl a script that the server ldap isn't accessible? where i can found error code for this ?
Thanks
RomanHi Habeel,
I've answered this question before. If you search the forum for "ldap healtcheck script" - and yes the typo is real then you'll see what I did.
The text is here:
The easiest way is to capture a packet with the authentication credentials and then replace the hex bind string in the example.
The alternative is to handcode the BER coded ASN.1 data string - which while more fun is time consuming. The remainder of the script can stay the same.
I've done this on an ACE module. You have to be aware that 300c02010160 in the example script string is a sort of "header" that holds the request id (1). This will be different in your packet capture.
If you look at the decomposition of the example you'll be able to see how it is put together and what you need to change.
0x30 The start of a universal constructed sequence
0x0c The length of the sequence minus the tag and length bytes = 12 bytes
0x02 Next field is an integer
0x01 The length of the next field (1 byte)
0x01 Value (this is the message ID)
0x60 Application, number 0, use RFC2251 to decode. This is a Bind Request
0x07 Length of data to follow.
0x02 Integer
0x01 Length 1
0x03 3 - this is the LDAP version.
0x04 String
0x00 Length 0
0x80 Simple Authentication
0x00 Length 0
Just keep the id the same in the unbind.
The string I use is:
302d02010160280201030418636e3d41636550726f78792c6f3d556e69766572736974798009ffffffffffffffffff
where I've replaced the 9 character password with 9*x'ff'.
The username for binding is AceProxy. If you want to use the same script then create that username and set the password in the string above (in hex). If for example you set the password to Example12 then you need to set the 9*x'ff' to '4578616d706c653132' - which is the hex representation of the ASCII.
Note that if you use fewer or more than 9 characters then you'll need to change other values in the string because they refer to lengths.
HTH
Cathy -
Hello everyone, okay?
I was thinking of a possibility to use my ACE to monitor a database, in this case a MySQL database Today I use a TCP probe, monitoring the port, but I would go one step further and try to make a connection in the DATABASE.
I would like to see the possibility of a guideline in creating a TCL script to make a simple connection to a database.
The idea is to try to make a connection in a database, run a query / select on any table just to validate its functionality and not just checking if the port is responding.
I do not know how complex it is or what would be my pre -requisites required, but any help would be welcome.
I thought about using an HTTP probe to make this validation and use a web page making the connection to the database, but it ended up creating another layer and if there is any problem in web service, the database would be affected indirectly.
Thank you. All suggestions are welcome.Hi Plinio,
I cannot see any support for testing authentication, SQL queries or connections to a database that is supported directly in TCL at this time.
Here is the TCL guide that expalains the supported commands ( there is a HTTP example probe at the bottom )
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_2_0/configuration/slb/guide/script.html
Beyond a TCL TCP probe to the port to test the listener is running, I believe your suggestion of a HTTP TCL script is probably the most accurate way to check the integrity of the database. You could write code to set a certain response to all types of failure scenarios and on the ACE you could then use a HTTP TCL script to parse the response from the web server to identify exactly what has failed in your database and act accordingly.
cheers,
Chris -
ACE TCL Script Probe for Websphere MQ
Have anyone written a TCL script to probe MQ from the ACE? Our app guys are saying that a Layer 4 probe (TCP port check) is generating errors in the QManager logs because there is no data exchange, just TCP connection setup, then tear-down.
Thought I would check here to see if anyone has written a TCL Script for this before or has any other suggestions.
Thanks!Hi,
What do you need to check exactly on the server? will be an specific uri?
Cesar R
ANS Team -
Hi,
I have two questions about TCP scripts on ACE :
1. TCP source code
How can I browse the TCL source code of predefined probe scripts on the ACE (for instance HTTPCONTENT_PROBE) '
2. Script parameters
How do I retrieve in the TCL script the parameters passed to the script in the command < script script_name [script_arguments] > ?
Thank you,
YvesYves,
you can download all the scripts from the download software page.
http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=A2%283.2%29&mdfid=280557289&sftType=Application+Control+Software+Scripts&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+ACE+Application+Control+Engine+Module&treeMdfId=268437639&treeName=Application+Networking+Services&modifmdfid=null&imname=&hybrid=Y&imst=N&lr=Y
# Copyright (c) 2005-2008 by Cisco Systems, Inc.
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
proc set_exit_msg { msg } {
global debug ip port EXIT_MSG
set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
# main
# Parse cmd line args and initialize variables
set_exit_msg "initializing variable"
if { $argc < 2 } {
set_exit_msg "[ info script ] parameters :
exit 30002
set ip $scriptprobe_env(realIP)
set port $scriptprobe_env(realPort)
# If port is zero then use well known HTTP port 80
if { $port == 0} {
set port 80
set requestHeader [ lindex $argv 0 ]
set expectFileType [ lindex $argv 1 ]
set debug [ lindex $argv 2 ]
if { $debug == "" } {
set debug 0
# Open connection
set_exit_msg "opening socket"
set sock [ socket $ip $port ]
# Send HTTP request to server
set_exit_msg "sending request : $requestHeader"
puts -nonewline $sock "$requestHeader\n\n"
flush $sock
# Read string back from server
set_exit_msg "receiving response"
set lines [ read $sock ]
# Close connection
set_exit_msg "closing socket"
close $sock
# Parse the HTTP response
# All the following conditions cause probe failure, returning exit code 30002
# Unable to recognize the HTTP response
if { ![ regexp -nocase "^HTTP/1\.\[0-9\] (\[0-9\]\[0-9\]\[0-9\])" $lines match s
tatuscode ] } {
set_exit_msg "probe fail : can't find status code"
exit 30002
# HTTP response is not 200 OK
if { $statuscode != "200" } {
set_exit_msg "probe fail : status code is $statuscode"
exit 30002
# Unable to find Content-type header
if { ![ regexp -nocase "Content-Type *:(.*)\n" $lines match foundContentType]
set_exit_msg "probe fail : can't find \'Content-Type\' header"
exit 30002
# Content-type value does not contain the requested string
if { ![ regexp "$expectFileType" $foundContentType] } {
set_exit_msg "probe fail : expect content-type \'$expectFileType\', but got
\'$foundContentType\'"
exit 30002
# Indicate probe success with exit code 30001
set_exit_msg "probe success"
exit 30001 -
Hi all,
I would like to write custom TCL script in ACE. I would like to write some info for debugging to the console with "puts $VAR ", but nothing is shown.
What could be the problem ? I have debug hm all on.
Regards,
szicsuLook into an existing script and reuse the same debug function
proc ace_debug { msg } {
global debug ip port EXIT_MSG
set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
Gilles. -
ACE TCL Script to retrieve Cookie
I am in need to to do a post instead of a Get with a probe. So I have configured a TCL script to perform this. The issue I have is that I also need to parse the Cookie instead of the http1. response. Any ideas? Or does anyone have a variable indetifiers for TCL scripting that Cisco uses?
Thank you,
TimHI Thulin,
Health probe scripts have access to many configured items through a predefined TCL array. The most common use of this array is to find the current real server IP addresses of the suspect during any particular launch of the script.
Whenever the ACE executes a script probe, a special array called scriptprobe_env is passed to the script. This array holds important parameters that may be used by the script.
Member name Content
realIP
Suspect IP address
realPort
Suspect IP port
intervalTimeout
Configured probe interval in seconds
openTimeout
Configured socket open timeout for this probe (tbd)
recvTimeout
Configured socket receive timeout for this probe
failedTimeout
Configure failed timeout
retries
Configured retry count
healthStatus
Current suspect health status
contextID
The ID for the context running this script
failedRetries
Consecutive successful retries on a failed server before marking it as passed
isRouted
Boolean to determine if this IP address is a routed address
pid
Process identifier of the TCL process
runID
Pointer to the event structure (em_event_t)
Kindly refer to the following url to get more info regarding your tcl variables:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/script.html#wp1082112
http://www.cisco.com/univercd/cc/td/doc/solution/dc_ap11i.pdf
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/ace/ace_301/slbgd/script.pdf
Regards,
Sachin Garg -
st1\:*{behavior:url(#ieooui) }
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
Network Scenario:
We have a Client-Server enterprise network, and nature of servers is to broadcast some stats/info to all the clients.
We are using two 6509-E at core with HSRP to provide the redundancy for servers. I have attached the network layout (not the real one) with some description with this thread. On both switches we have configured “ip helper-addresses” to forward the broadcast to multiple destinations(different VLANs). Every thing is working fine with respect to HSRP.
Problem:
Under normal circumstances, both ACTIVE and STANDBY hsrp switches generates broadcast which causing duplication of every broadcast packet and Client end receiving every packet twice. Cisco already claimed that standby switch will forward the broadcast. As an alternate TAC has advised to use the TCL script as a work around which we attempted to however no success at the end.
Please let me know if some one can help me in modifying TCL script.
::cisco::eem::event_register_syslog occurs 1 pattern .*STANDBY.*STATECHANGE.* maxrun 90
# EEM policy used to detect an HSRP state change. Once change is detected, analize the
# type of change and modify the configuration about helper address.
# The script looks for the DHCP server ip address in dhcp_server environment variable
# and adds or removes the command 'ip helper-address dhcp_server' to the interface on
# which HSRP status has changed.
# April 2006, Cisco Europe & Emerging TME Team
# Copyright (c) 2006 by cisco Systems, Inc.
# All rights reserved.
### The script uses the following environment variables:
# $dhcp_server - ip address of the DCHP server in four octect dotted notation
# 1. check if all the env variables we need exist and if not abort
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if {![info exists dhcp_server]} {
set result "EEM Policy Error: variable dhcp_server has not been set"
error $result $errorInfo
# 2. Local procedure for CLI show commands
# Pass a list of cli commands and it returns a list of outputs
proc CLICmdProc {cmds} {
if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
if [catch {cli_exec $cli1(fd) "enable"} result] {
error $result $errorInfo
foreach a_cmd $cmds {
if [catch {cli_exec $cli1(fd) $a_cmd} result] {
error $result $errorInfo
} else {
lappend cmd_output $result
if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
error $result $errorInfo
return $cmd_output
# 3. Local procedure for CLI configuration commands
# Pass a list of cli commands
proc CLICfgProc {cmds} {
if [catch {cli_open} result] {
error $result $errorInfo
} else {
array set cli1 $result
if [catch {cli_exec $cli1(fd) "enable"} result] {
error $result $errorInfo
if [catch {cli_exec $cli1(fd) "config terminal"} result] {
error $result $errorInfo
foreach a_cmd $cmds {
if [catch {cli_exec $cli1(fd) $a_cmd} result] {
error $result $errorInfo
} else {
set cmd_output $result
if [catch {cli_exec $cli1(fd) "end"} result] {
error $result $errorInfo
if [catch {cli_exec $cli1(fd) "write mem"} result] {
error $result $errorInfo
if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
error $result $errorInfo
# 4. query the information of latest triggered eem event
array set arr_einfo [event_reqinfo]
if {$_cerrno != 0} {
set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \
$_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
error $result
set msg $arr_einfo(msg)
# 5. we save the interface which triggered the event in interface
regexp {(Vlan[0-9]{1,4}).*-> ([A-Z,a-z]*$)} $msg result interface action
if {$action == "Active"} {
lappend clicmd "interface $interface"
lappend clicmd "ip helper-address $dhcp_server"
if {$action != "Active"} {
lappend clicmd "interface $interface"
lappend clicmd "no ip helper-address $dhcp_server"
set cliout [CLICfgProc $clicmd]
action_syslog msg "Updating the configuration of interface $interface"Try this version. You will need to first set an environment variable, dhcp_servers to be a comma separated list of IP addresses (i.e. the helper addresses) to configure/unconfigure. For example:
event manager environment dhcp_servers 192.168.10.255,192.168.12.255,192.168.14.255 -
Creating a job that runs a Tcl script
Hi,
We currently have a scheduled job running a Tcl script on a 8.1.7 DB. My question is, can I still use the same setup in 10g DB (i.e. creating a job that runs Tcl script)? If I can, how am I gonna do it?
Thanks,
howieIt depends on how you scheduled the job in 8.1.7 DB.
By Cronjob? Yes you can do the same to connect to 10g
By DBMS_JOB?. Yes you can do it in 10g and in addition, can improve it with DBMS_SCHEDULER
Via OEM? Yes in can use Enterprise Manager to create a Job that runs the Script. -
Setting the source-interface in a tcl script for email.
So once again I am trying to figure this out and failing miserably. The only thin I can think of at the moment is that I need to tell it to source from a specific vrf interface. I've tried looking through possible enviornment variables. Hoping I could set it that way but have yet to find one. I have read varios settings for source-interface and attempted them. But fail every time with:
vpn_failure.tcl: smtp_send_email: error connecting to mail server:
EEM Version:
sho event manager version
Embedded Event Manager Version 4.00
Component Versions:
eem: (rel4)1.0.4
eem-gold: (rel1)1.0.2
eem-call-home: (rel2)1.0.0
Below is the stock format for sending the email from the script. If someone could guide me in the correct way to set this up to source the interface that would be awesome.
# create mail form
action_syslog msg "Creating mail header for vpn_failure.tcl script..."
set body [format "Mailservername: %s" "$_email_server"]
set body [format "%s\nFrom: %s" "$body" "$_email_from"]
set body [format "%s\nTo: %s" "$body" "$_email_to"]
set _email_cc ""
set body [format "%s\nCc: %s" "$body" ""]
set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
set body [format "%s\n%s" "$body" "Report Summary:"]
set body [format "%s\n%s" "$body" " - syslog message"]
set body [format "%s\n%s" "$body" " - summary of interface(s) in an up/down state"]
set body [format "%s\n%s" "$body" " - show ip route $remote_peer"]
set body [format "%s\n%s" "$body" " - show crypto isakmp sa"]
set body [format "%s\n%s" "$body" " - show crypto session detail"]
set body [format "%s\n%s" "$body" " - show crypto engine connection active"]
set body [format "%s\n%s" "$body" " - show ip nhrp detail (DMVPN only)"]
set body [format "%s\n%s" "$body" " - show log"]
set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
set body [format "%s\n%s" "$body" "$syslog_msg"]
set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_route"]
set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
set body [format "%s\n\n%s" "$body" "$show_log"]
if [catch {smtp_send_email $body} result] {
action_syslog msg "smtp_send_email: $result"I got this far, saw the MAXRUN error, bumped that out and then turned on debugging. I am still not connecting to the mail server. So I don't think I am reaching the mail server yet. I don't think it is using the sourceinterface. In debugging everyting in the script works except for the mail portion.
Jul 29 16:01:00.334: %HA_EM-6-LOG: vpn_failure.tcl: Creating mail header for vpn_failure.tcl script...
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: while executing
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "action_syslog msg "smtp_send_email: $result""
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "$slave eval $Contents"
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: (procedure "eval_script" line 7)
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "eval_script slave $scriptname"
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "if {$security_level == 1} { #untrusted script
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: interp create -safe slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: interp share {} stdin slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: interp share {} stdout slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: ..."
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: (file "tmpsys:/lib/tcl/base.tcl" line 50)
Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Tcl policy execute failed:
Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
Debugging On:
Jul 29 16:28:51.471: [fh_smtp_debug_cmd]
Jul 29 16:28:51.472: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 2
Jul 29 16:29:24.473: [fh_smtp_debug_cmd]
Jul 29 16:29:24.473: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 3
Jul 29 16:29:57.475: [fh_smtp_debug_cmd]
Jul 29 16:29:57.475: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 4
Jul 29 16:30:30.478: [fh_smtp_debug_cmd]
Jul 29 16:30:30.479: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 5
Jul 29 16:31:00.482: %HA_EM-6-LOG: vpn_failure.tcl: smtp_send_email: error connecting to mail server:
cannot connect to all the candidate mail servers
Jul 29 16:31:00.483: %HA_EM-6-LOG: vpn_failure.tcl: vpn_failure.tcl script completed
event manager environment _email_server 10.79.1.126
event manager environment _email_from [email protected]
event manager environment _email_to [email protected]
interface Port-channel1.101
description MGMT-1
encapsulation dot1Q 101
vrf forwarding MGMT-1
ip address 10.79.1.252 255.255.255.0
ip nat inside
ip virtual-reassembly
redundancy rii 101
redundancy group 2 ip 10.79.1.254 exclusive decrement 10
end
#----------------------- send mail ----------------------
# create mail form
action_syslog msg "Creating mail header for vpn_failure.tcl script..."
set body [format "Mailservername: %s" "$_email_server"]
set body [format "%s\nFrom: %s" "$body" "$_email_from"]
set body [format "%s\nTo: %s" "$body" "$_email_to"]
set _email_cc ""
set body [format "%s\nCc: %s" "$body" "[email protected]"]
set body [format "%s\nSourceintf: %s" "$body" "port-channel1.101"]
set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
set body [format "%s\n%s" "$body" "Report Summary:"]
set body [format "%s\n%s" "$body" " - syslog message"]
set body [format "%s\n%s" "$body" " - summary of interface(s) in an up/down state"]
set body [format "%s\n%s" "$body" " - show ip route $remote_peer"]
set body [format "%s\n%s" "$body" " - show crypto isakmp sa"]
set body [format "%s\n%s" "$body" " - show crypto session detail"]
set body [format "%s\n%s" "$body" " - show crypto engine connection active"]
set body [format "%s\n%s" "$body" " - show ip nhrp detail (DMVPN only)"]
set body [format "%s\n%s" "$body" " - show log"]
set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
set body [format "%s\n%s" "$body" "$syslog_msg"]
set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_route"]
set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
set body [format "%s\n\n%s" "$body" "$show_log"]
if [catch {smtp_send_email $body} result] {
action_syslog msg "smtp_send_email: $result"
action_syslog msg "vpn_failure.tcl script completed"
#------------------ end of send mail -------------------- -
Reading the Facility Callername from a tcl script
I am looking for a way to read the Callingname in the facility message so that I can pass into
set callInfo(displayInfo)
Basically I'm trying to pass Callername to an ip phone through a TCL script on the gateway during callsetup. This normally gets dropped.
Is there a way to parse these fields in the Facility message?
Thanks ahead of time for any help.
Oct 14 21:59:58.274: ISDN Se0/0/0:23 Q931: RX <- FACILITY pd = 8 callref = 0x03BB
Facility i = 0x9F8B0100A117020101020100800F5452494F4E20574F524C44204E4554
Protocol Profile = Networking Extensions
0xA117020101020100800F5452494F4E20574F524C44204E4554
Component = Invoke component
Invoke Id = 1
Operation = CallingName
Name Presentation Allowed Extended
Name = MY CALLINGNAMEWell.. I'm having to alter an existing script that parsers the calls for fax service before they are being sent to callmanager.
So far I think im in the right direction but I don't know how to use the "object get gtd" properly, if that's even the right approach. Im trying to parse
GEN,y,y,0,JOE BLOW
from the gtd debug below...
Oct 15 16:32:26.543: CNG tone sent
Oct 15 2009 11:32:26 CDT: %ISDN-6-CONNECT: Interface Serial0/0/0:0 is now connected to XXXXXXXXXX N/A
Oct 15 16:32:27.231: ISDN Se0/0/0:23: Built a GTD of size 110 octets for ISDN message type 0x62
Oct 15 16:32:27.231: tsp_ccrawmsg_encap: calling cdapi_find_tsm
Oct 15 16:32:27.231: cdapi_find_tsm: Found Tunnelled Signaling Msg with GTD: PROT_PTYPE_GTD
Oct 15 16:32:27.231: cdapi_find_tsm: Found a gtd msg of length 110:
Oct 15 16:32:27.231: gtd msg = "FAC,
PRN,isdn*,,NI***,
GEN,y,y,0,JOE BLOW ï----------------Caller NAME
UFC,GEN,5,fachd,9f8b0100
UFC,GEN,5,inpdu,020101020100"
This is what I have so far...
set DestNum [infotag get evt_dcdigits]
set callInfo(destinationNum) $DestNum
infotag set evt_facility_report gtd
infotag get evt_gtd CallerID
set CallerName [object get gtd CallerID FAC,4,GEN]
set DestNum [infotag get evt_dcdigits]
put "$CallerName"
put "$DestNum"
set callInfo(displayInfo) $CallerName
set callInfo(destinationNum) $DestNum
leg setup $DestNum callInfo leg_incoming -
CallManager Express TCL Script issue
Hi, I'm having issues trying to get an AA script working on a CME 4.0 system. What I want to do is quite simple, i just want to play a message to callers and that's it.
When I dial the pilot, the call just drops and I get the following error when debugging "voip application script"
Jul 25 17:16:22.470: //381//TCL :/tcl_PutsObjCmd: TCL AA: +++ B-ACD-SERVICE not registered, Starting B-ACD-SERVICE +++
Jul 25 17:16:22.470: //381//AFW_:/AFW_FSM_Drive: Tcl_Eval to drive FSM inside Tcl modulespace. code=1 code=ERROR
Jul 25 17:16:22.470: TCL script failure
Result:
Handoff Failed
Jul 25 17:16:22.470: TCL script failure errorInfo:
Handoff Failed
while executing
"handoff appl leg_incoming $serviceName -s $hString"
(procedure "act_Setup" line 30)
invoked from within
"act_Setup"
(procedure "act_Handoff_Activity" line 7)
invoked from within
"act_Handoff_Activity"
Below is my config
application
service aa flash:app-b-acd-aa-2.1.0.0.tcl
paramspace english index 1
param number-of-hunt-grps 1
param handoff-string aa
paramspace english language en
param max-time-vm-retry 3
param aa-pilot 1050
paramspace english location flash:
param second-greeting-time 60
param welcome-prompt _bacd_welcome.au
param queue-manager-debugs 1
param call-retry-timer 15
param max-time-call-retry 200
param voice-mail 8000
param service-name aa
dial-peer voice 1050 voip
service aa
destination-pattern 1050
session target ipv4:172.27.27.10
incoming called-number .
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
telephony-service
load 7914 S00104000100
load ATA ATA030100SCCP040211A
load 7920 cmterm_7920.4.0-02-00
load 7971 TERM70.6-0-3SR1S
load 7970 TERM70.6-0-3SR1S
load 7912 CP7912080001SCCP051117A
max-ephones 240
max-dn 480
ip source-address 172.27.27.10 port 2000
timeouts interdigit 5
system message Galaxia - VSAT Activated
sdspfarm units 1
sdspfarm transcode sessions 2
sdspfarm tag 1 mtp0018185bf860
cnf-file perphone
network-locale IT
time-zone 23
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
call-park system redirect
call-forward pattern .T
moh music-on-hold.au
multicast moh 239.x.1.30 port 2123
web admin system name admin password btin3t
dn-webedit
time-webedit
transfer-system full-consult
secondary-dialtone 9
create cnf-files version-stamp 7960 Jul 25 2006 14:09:58
We do not have CUE.
Any help would be appreciated.
Thanks
GlynIn reference to this part of your config:
If you are using a hunt group, you need the following param:
param aa-hunt1
I would also try using a loopback addres in your voip dial peer, rather than the H.323 physical IP addres of your router.
here is the link with an example config:
http://www.cisco.com/en/US/partner/products/sw/voicesw/ps4625/products_configuration_guide_chapter09186a00805f2305.html#wp1012136 -
Tcl script to shut and no shut interface
Hi, I have problem with DMVPN I tried some configurations but any works.
The problem is that tunnel with ipsec protection does not support keepalives I have one hub and one spoke the spoke has two interfaces with dynamic ip and the hub has one interface with static ip the two devices have two tunnels gre. The spoke has track to the source and backup comand on tunnels one active and one for backup the problem is when the active tunnel is down (only protocol it is in this way coz the source is down down)the other tunnel comes up and its ok everything is working but when the tunnel active comes back the vpn does not come up until the tunnel is shutdown and not shutdown by manual way. I like to know if is possible to shut and no shut the tunnel when the source comes back with tcl script. (And if is possible that you help me to do the script).
Thanks in advance.Ok thanks everybody jaja it`s done. Solution cryto maps on interfaces and do not put tunnel ipsec protected on the tunnel interface on the hub.
DOC. DMVPN DUAL TIER ARCHITECTURE -
Hello,
I am trying to write a TCL script on a CSM (Code Ver 4.1) that retains the value of a variable between probe instances (so I can increment and check a variable in each probe attempt). Looking at the documentation there is supposed to be a 'gset' command that does this but cannot make this work.
The example says 'gset var 1 ; incr var'.
I have several problems with this:
1. I would think that this would set the value of var to 1 each time it runs and then increment it (maybe)
2. How can I read the value of the persistent variable without it causing an error if it doesn't exist?
3. It doesn't seem to work anyway as var doesn't appear in the Persistent Variables section of 'show mod csm x tech script'
Any ideas on this or on where I can get some examples where the gset command is used?
Many Thanks
LPit works for me:
I just added the gset and incr commands to the echo probe and it I do see the counter increasing.
gset counter 1
# parse cmd line args and initialize variables
puts "initializing variable 2"
set EXIT_MSG "Error config: script ECHO_PROBE "
incr counter
puts "Counter: $counter"
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 7
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:7: opening socket
ECHO_PROBE_SCRIPT:192.168.30.24:7: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.24:7: receiving response
ECHO_PROBE_SCRIPT:192.168.30.24:7: closing socket
ECHO_PROBE_SCRIPT:192.168.30.24:7: probe success
initializing variable 2
Counter: 7
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.24:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.24:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.24:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.24:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 8
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:7: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:7: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:7: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:7: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:7: probe success
initializing variable 2
Counter: 8
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 8
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:7: opening socket
ECHO_PROBE_SCRIPT:192.168.30.24:7: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.24:7: receiving response
ECHO_PROBE_SCRIPT:192.168.30.24:7: closing socket
ECHO_PROBE_SCRIPT:192.168.30.24:7: probe success
initializing variable 2
Counter: 8
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.24:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.24:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.24:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.24:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 9
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:7: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:7: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:7: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:7: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:7: probe success
initializing variable 2
Counter: 9
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 9
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:7: opening socket
Maybe you are looking for
-
How can I get photo of callers to vshow full page since I just did the update it doesn't show but a thumbnail pic
-
How can I sharpen all photos in a gallery at one time?
I want to sharpen all of my photos in a gallery at one time. How do I do this? In Lightroom, you can sync....can I do this on Aperture?
-
Multi-Channel Audio to USB converter
We have an old windows pc with an awesome Altec Lansing ADA995 audio system, and I was wondering if it was possible to hook this system up to our new Macbook Pro with a converter to USB or the like. I don't know much about audio hardware, but the aud
-
Activate project management in controlling area
Hello, Activate project management in controlling area.. Is this activity must for PS/CO?? Thanks.
-
Link ArchiveLink Document (outb. invoice) with inb. invoice
Between the companies in our group we are having an ALE-handling for the invoicing process, incoming invoices are posted via IDoc. Actually it is possible to create in the SD-invoice the generated message as a pdf-Document on the external storage sys