Cisco embedded event manager applet

Hi everyone,
Can someone please confirm me if we can use cisco eem applet in ASA firewall. I know its for sure used in IOS but whta bout firewall? if yes then please help me out.
Thanks in advance.

i want to log-off a vpn tunnel if the VPN tunnel gets stuck. Can it be done on ASA firewall?

Similar Messages

Cisco Embedded Event Manager Issue

Hello Experts,
I have taken the following sample EEM from
https://learningnetwork.cisco.com/blogs/network-sheriff/2009/06/19/writing-your-first-eem-applet
The intention is to send a notification to an email address about a network problem. I have modified it bit for illustrative purposes. You will see that there are various show commands.
Can someone please show me how to email the show commands instead just appending them to the directory called "server_unreachable"?
TechWiseTV4506(config)#eve
nt manager environment _email_server 172.16.1.44 (<-my Post Cast server)
TechWiseTV4506(config)#event manager environment _email_to [email protected]
TechWiseTV4506(config)#event manager environment _email_from [email protected]
event manager applet email_server_unreachable
event track 10 state down
action 1.0 syslog msg "Houston we have a problem. Ping failed, server unreachable!"
action 1.1 cli command "enable"
action 1.2 cli command "del /force flash:server_unreachable"
action 1.3 cli command "show clock | append server_unreachable"
action 1.4 cli command "show ip arp 172.16.1.55 | append server_unreachable"
action 1.5 cli command "show ip route 172.16.1.55 | append server_unreachable"
action 1.6 cli command "show interface FastEthernet0/1/1 | append server_unreachable"
action 1.7 cli command "more flash:server_unreachable"
action 1.8 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "Server Unreachable: ICMP-Echos Failed" body "$_cli_result
action 1.9 syslog msg "Server unreachable alert has been sent to email server!"
Cheers
Carlton

This applet will actually email the results. However, in order to get all of the output together, it uses the server_unreachable file as an accumulator buffer. That file could be deleted as action 2.0:
action 2.0 cli command "delete /force flash:server_unreachable"
But that is already there in action 1.2, so it's not really needed.
What will happen is the applet will more the file to collect all of the output. That aggregated output will be stored in the $_cli_result variable. The result is that the body of your email will contain the consolidated command output.

Cisco Embedded Event Manager Book

Hello All,
Can someone let me know if they're any books currently available which I focused purely on Cisco EEM?
I would very much like to learn/practice EEM. I appreciate there is a lot of samples here, however I would like a more structured approach to learning EEM.
Cheers
Carlton

There is no book dedicated to EEM. The "Tcl Scripting for IOS" book from Cisco Press does cover EEM in some detail, though.

Embeded Event Manager on cisco 3560 switch

Can someone help me please? I have EEM configured on cisco 3560 switch. The configuration is below. I want that switch inform me through email when device with particilular IP address become unavailable. For some reason this configuration is not good and I can't tell why. I already try to debug this with debug event manager action mail but didn't see any output .
ip sla 11
icmp-echo ip address
frequency 20
ip sla schedule 11 life forever start-time now
event manager applet device-TEST
event snmp oid 1.3.6.1.4.1.9.9.42.1.2.9.1.6.11 get-type exact entry-op lt entry-val "2" poll-interval 20
trigger occurs 5 period 120
action 02.0 mail server "ip address" to "[email protected]" from "[email protected]" subject "device is down"

The mail part looks good, I'm not sure you are hitting the trigger right.
Why not do a track on the ip sla instead of the snmp stuff?
Here's a good example of that.
https://learningnetwork.cisco.com/blogs/network-sheriff/2009/06/19/writing-your-first-eem-applet

Embedded Event Manager - SNMP - run TCL script

I would like to run a tcl script on a router using snmp. I understand Embedded Event Manager can do this but haven't found what I need to run that. Can someone point me in the right direction?

Yeah, you could do this, but it depends on your version of IOS. You will need EEM 3.1 or higher (15.0) to be able to intercept SNMP GET requests. Then, you could do something like:
event manager applet snmp-trigger event snmp-object oid 1.9.9.9.9 type gauge sync yes istable no action 1.0 policy my_tcl_policy.tcl action 2.0 snmp-object-value event-id _event_id gauge 0 next-oid 1.9.9.9.9.0 action 3.0 exit 1!snmp-server manager
Then, when you query 1.9.9.9.9.0 on the device, the Tcl policy "my_tcl_policy.tcl" should execute, and the snmp-trigger applet policy will return a value of 0.
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com

Monitoring PRI using Embedded Event Manager

Hi,
I am trying to use Embedded Event Manager to flag when calls on a pri get above
28 but its not working. I found an OID which shows number of calls currently on
the B Channels of a pri. I dropped the threshold to two just to check it was
functioning correctly. Config below:
event manager applet bchan-mon
event snmp oid 1.3.6.1.4.1.9.10.19.1.1.11 get-type exact entry-op gt entry-val
2 poll-interval 60
action exceeded syslog priority critical msg "All Chanels in Use"
I have done a debug and it says the OID is not found even though if i do a show
snmp mib i see the OID. Output below:
Feb 9 08:35:58.097: fh_process_async: re=445EF694, timer_type=POLL
Feb 9 08:35:58.097: snmp_entry_value_check: OID unavailable, value check
skipped
Feb 9 08:35:58.097: snmp_entry_value_check:Returning FALSE
Feb 9 08:35:58.097: fh_process_async: update_t=0cron_tick: num_matches 0
Has anyone successfullly used EEM to do this?
Any help appreciated.
Thanks
Kev

Hi Joe,
I get this from an snmp walk:
rh019654@c_nnm_u > snmpwalk lr2196 1.3.6.1.4.1.9.10.19.1.1.11
cisco.ciscoExperiment.19.1.1.11.0 : Unsigned32: 0
The device is a cisco 2851 and the IOS is C2800NM-SPSERVICESK9-M 12.4(18e).
If i run a debug now after adding the 0 i dont get a OID error not found anymore but its still not flagging the message in the log when the amount of calls go above 2. See below:
Feb 10 09:43:17.774: fh_process_async: re=463448F0, timer_type=POLL
Feb 10 09:43:17.774: snmp_value_uint_compare:op1=0 op2=2 ret=FALSE
Feb 10 09:43:17.774: snmp_entry_value_check:Returning FALSE
Feb 10 09:43:17.774: fh_process_async: update_t=0
Thanks
Kev

Problem with Embedded Event Manager and Object Tracking

Hi,
I have a 2801 running c2801-advipservicesk9-mz.124-24.T2.bin. It has the following configuration:
track 300 list boolean or
object 10
object 11
object 12
object 13
event manager applet clear_ipsec_tunnel
event track 300 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto session"
action 3.0 syslog msg "IPSec tunnel has been cleared by clear_ipsec_tunnel applet"
My problem is that after the tracked object number 300 transitions from an up state to a down state, nothing happens. It seems like the applet doesn't work with object tracking. Here's what I see in logs:
Dec 7 21:52:32.236 MCK: %TRACKING-5-STATE: 12 ip sla 12 reachability Up->Down
Dec 7 21:52:37.236 MCK: %TRACKING-5-STATE: 13 ip sla 13 reachability Up->Down
Dec 7 21:52:57.236 MCK: %TRACKING-5-STATE: 10 ip sla 10 reachability Up->Down
Dec 7 21:53:07.236 MCK: %TRACKING-5-STATE: 11 ip sla 11 reachability Up->Down
Dec 7 21:53:07.996 MCK: %TRACKING-5-STATE: 300 list boolean or Up->Down
That's it. For some reason, the applet won't execute the CLI commands when the EEM applet is triggered. Am I doing something wrong or I have encountered some bug? Thanks.

jclarke,
Today I added the router into the tacacs server database and the applet started working just fine by using my login name. So the working configuration looks like this:
event manager session cli username "my login name"
event manager applet clear_ipsec_tunnel
event track 300 state down maxrun 30
action 1.0 cli command "enable"
action 2.0 cli command "clear crypto session"
action 3.0 syslog msg "IPSec tunnel has been cleared by clear_ipsec_tunnel applet"
Then I tried to use a login name from the local database that has "privelege 15" access and of course the debug output showed me this:
Dec 8 18:12:58.203 MCK: %TRACKING-5-STATE: 300 list boolean or Up->Down
Dec 8 18:12:58.203 MCK: fh_track_object_changed: Track notification 300 state down
Dec 8 18:12:58.203 MCK: fh_fd_track_event_match: track ED pubinfo enqueue rc = 0
Dec 8 18:12:58.215 MCK: fh_send_track_fd_msg: msg_type=64
Dec 8 18:12:58.215 MCK: fh_send_track_fd_msg: sval=0
Dec 8 18:12:58.219 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : CTL : cli_open called.
Dec 8 18:12:58.227 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : OUT : Router>
Dec 8 18:12:58.227 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : IN : Router>enable
Dec 8 18:12:58.747 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : OUT : Command authorization failed.
Dec 8 18:12:58.747 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : OUT :
Dec 8 18:12:58.747 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : OUT : Router>
Dec 8 18:12:58.747 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : IN : Router>clear crypto session
Dec 8 18:12:58.771 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : OUT : ^
Dec 8 18:12:58.771 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Dec 8 18:12:58.771 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : OUT :
Dec 8 18:12:58.771 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : OUT : Router>
Dec 8 18:12:58.775 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel: IPSec tunnel has been cleared by clear_ipsec_tunnel applet
Dec 8 18:12:58.775 MCK: %HA_EM-6-LOG: clear_ipsec_tunnel : DEBUG(cli_lib) : : CTL : cli_close called.
So I guess this problem arises when you have command authorization enabled and the tacacs server is not reachable or something like that. I have tried to find a way to use the local database instead of using the aaa server but didn't succeed. Although I have found an interesting workaround. Here it is:
Link: http://blog.ioshints.info/2007/05/command-authorization-fails-with-eem.html
Workaround found after reading the "Executing IOS commands from Tcl shell" from the "Tclsh on Cisco IOS tutorial".
On the above article it is mentionned that the ios_config command is executed inside the context of another VTY line (also found with the AAA debug). The workaround is to define the FIRST VTY line with "transport input none" to prevent ssh or telnet to grab it and to configure the aaa authorization without any command authorization for this line.
Kind regards
Christian Chautems
Looks great, but I am not quite sure how to "configure the aaa authorization without any command authorization for this line".
Anyway, jclarke thank you so much for taking your time to look into my problem and for your help.

Embedded event manager

Hi team
I had open a post in lan switching for this particular problem and the expert from that forum has given the solution of embedded event manager so i need a help from this forum.
The probelm defination is==
Cisco 6509 (Core switch) connected to firewall on uplink side and on downlink its connected to 2 diffrent Cisco 6509 switches (Distribution) layer.All these links have been configured as Routed link and not as SVI.Now issue is when both the downlinks (coming from both distribution) switches go down i want to make the uplink from core to firewall to go down so that other core switch will take over and transfer teh traffic.
Attached diagram has details.tried configuring HSRP between 2 core switches but as teh links are routed link HSRP not working and both switches remain master but as on oppsite side Juniper firewall NSRP is implemented 2nd firewall not responding and core-2 ==fw2 link not transfer traffic.now when both the links of core go down link from core1-fw1 should go down so Fw2 will get active and will send traffic on link betwene core2-firewall2..please let me know what kind of configursation is required in EEM..

Do the following (assuming you have a disk0:):
mkdir disk0:/policies
copy tftp://x.x.x.x/sl_intf_watch.tcl disk0:/policies
config t
event manager directory user policy disk0:/policies
event manager environment intf_watch_interfaces TenGigabitEthernet9/1,TenGigabitEthernet9/3
event manager environment intf_watch_uplink GigabitEthernet1/2
event manager policy sl_intf_watch.tcl
Where x.x.x.x is the IP address of your TFTP server.
After that, the policy is registered, and waiting for the interfaces to go down.

EEM event manager applet problem

I'm trying to create an EEM applet to log the output of a command to file every 5 minutes. The idea is to get a traffic baseline for implementing control plane policing but I want statistics from at least a whole week (not just while I'm at work). I have a 6506-E running 12.2(18)SXF17a for WLSM (WS-SVC-WLAN-1-K9) support. Initially I was trying to save the file to tftp but it turns out one cannot "| append" to a file on a tftp server. I thought about trying to increment the file name with a counter but instead I opted for this:
event manager applet controlplanelog
event timer cron name controlplanelog cron-entry "0/5 * * * *"
action 1.0 cli command "enable"
action 1.1 cli command "show policy-map control-plane | append disk1:log.txt"
This didn't seem to work because the contents of the file "disk1:log.txt" didn't change over the course of my lunch time. I thought I had the timer messed up so I changed the entry "0/5 * * * *" to "0,5,10,15,20,25,30,35,40,45,50,55 * * * *". That didn't work either so I changed the event to none and ran it manually using "event manager run" and still, the file "disk1:log.txt" contents did not change.
Am I trying to execute an unsupported command or is this an error or am I just doing it wrong? Any help would be appreciated.

That is wierd. I must have typed it in wrong somewhere....
I had already removed all eem commands since I used the numbers from the other 6500 log file. When I added them back in with the command changed to "show version" the text file was modified as expected. Even before checking the file, I noticed a difference because I had debugging on per your previous suggestion and these lines showed up in addition to the lines which previously showed up.
545685: Sep 10 15:41:24.674 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT :
545686: Sep 10 15:41:24.674 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT : 6506#
545687: Sep 10 15:41:24.674 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : IN : 6506#exit
545688: Sep 10 15:41:24.674 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : CTL : cli_close called.
At this point I reverted to the original command and it now works as expected.
For the sake of progeny, here is the debugging when not appending to a file.
545990: Sep 10 15:50:27.016 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : CTL : cli_open called.
545991: Sep 10 15:50:27.120 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT :
545992: Sep 10 15:50:27.120 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT : 6506>
545993: Sep 10 15:50:27.120 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : IN : 6506>enable
545994: Sep 10 15:50:27.132 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT :
545995: Sep 10 15:50:27.132 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT : 6506#
545996: Sep 10 15:50:27.132 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : IN : 6506#show policy-map control-plane
545997: Sep 10 15:50:27.144 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT :
545998: Sep 10 15:50:27.144 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT : Control Plane Interface
545999: Sep 10 15:50:27.144 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT :
546000: Sep 10 15:50:27.144 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT : Service-policy input: copp-policy
546001: Sep 10 15:50:27.144 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT :
546002: Sep 10 15:50:27.144 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : OUT : Hardware Counters:(ouput omitted)546017: Sep 10 15:50:27.148 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : CTL : 20+ lines read from cli, debug output truncated
546018: Sep 10 15:50:27.148 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : IN : 6506#exit
546019: Sep 10 15:50:27.148 KST: %HA_EM-6-LOG: controlplanelog : DEBUG(cli_lib) : : CTL : cli_close called.
On a side note I have been pondering something unrelated to my original question but maybe you know the answer to that too. If I have NTP restricted by an access list using the "ntp access-group peer" and "ntp access-group serve" commands as well as through control plane policing, which list is processed first: Do the "ntp access-group" commands keep packets from entering the control plane that don't match the list or do they hit the control plane before being dropped by the access-list?

Embedded Event manager scripting help

Hello,
I'm looking into a way to do the following:
If pinging of BGP peer detects packet loss, or circuit flapping, lets say 5 flaps in 60 secs, then I'd like the bgp peering to go into admin down state.
Would be nice if it also recovered on its own when 1hour or X of stability was detected.
Thank you

I found a good doc and think i'll be going with this:
IP SLA 3
icmp-echo X.X.X.X source-interface GIGXXXX
IP SLA schedule 3 life forever start-time now
track 3 ip sla 3 reachability
delay up XX
event manager applet WAN_DOWN
event track 3 state down
action 1.0 syslog msg "Packet loss or Primary WAN cct loss detected"
action 2.0 cli command "enable"
action 3.0 cli command "config t"
action 4.0 cli command "router bgp XXXXX"
action 5.0 cli command "neighbor X.X.X.X shut"
action 6.0 cli command "end"
action 7.0 syslog msg "BGP neighbor placed in Admin Down because of packet loss to Peer"
event managet applet wan_up
event track 3 state up
action 1.0 syslog msg "WAN network restored"
action 2.0 cli command "enable"
action 3.0 cli command "config t"
action 4.0 cli command "router bgp XXXXX"
action 5.0 cli command "no neighbor x.x.x.x shut"
action 6.0 cli command "end"
action 7.0 syslog msg "BGP neighbor was brought up due to sustained comm with Peer"

Embedded Event Manager Versions on Routers

Hello Community,
Can someone please tell me if its possible to load a EEM version on a 3600 higher than 2.1 or on a 3700 higher than 2.2?
Cheers
Carlton

The EEM version is fixed to the IOS. See https://supportforums.cisco.com/docs/DOC-8799 on how to figure out what version is available on your device. EEM 2.2 requires 12.4(2)T or higher and 2.3 requires 12.4(11)T or higher.

Event Manager question. Monitoring DNS entry.

Hello everybody,
I want to use Cisco Embedded Event Manager in a router for monitoring a DNS entry that normally resolves 1.1.1.1 but if it changes to 2.2.2.2 the router has to change some access list automatically in order to permit different routes.
I know how to configure de "action" sentences for change the ACLs but I dont know how to configure a track or a SLA in order to check the DNS entry and react if it changes.
Someone knows how to do that?
event manager applet ChangeRoutesWhenDNSEntryChanges
event track 21 state ??????????????????????????????????????????????????<----------
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "ip access...
Thank you in advance!!
Marcos.

Indeed, I just provided the above example to demonstrate how we can force a DNS lookup and parse the IP address...
I was actually thinking about using the IP SLA DNS probe, but I could not find a way to get the IP address from the results... It just shows the response time.
In order to make the script work, we would most likely need to use some timer to trigger it periodically.
This is an adaptation of my previous example to actually accomplish a periodic check:
event manager applet CHECK-DNS
event timer watchdog time 60
action 1.0 cli command "ena"
action 1.1 cli command "ping host1 repeat 1 timeout 0"
action 2.0 regexp "ICMP Echos to (.*), timeout is 0 seconds:" "$_cli_result" _match _ip
action 3.0 if $_ip ne 1.1.1.1
action 4.0 syslog msg "host1 is now $_ip"
action 5.0 end
If you want to do something as a reaction to detecting the change, that would have to go into the "4.0" block (you can use 4.1, 4.2 etc)
Another thing to consider is that this script would run every minute, so as long as the DNS query resolves to anything but 1.1.1.1 we would re-apply the config changes, which is not that good...
A way to solve this can be seen in the next example:
event manager applet HOST1-NOT-1.1.1.1
event timer watchdog time 60
action 1.0 cli command "ena"
action 1.1 cli command "ping host1 repeat 1 timeout 0"
action 2.0 regexp "ICMP Echos to (.*), timeout is 0 seconds:" "$_cli_result" _match _ip
action 2.1 track read 100
action 3.0 if $_ip eq 1.1.1.1
action 4.0 if $_track_state eq down
action 4.1   track set 100 state up
action 4.2   syslog msg "host1 is now 1.1.1.1 again"
action 4.9 end
action 5.0 else
action 6.1 if $_track_state eq up
action 6.2   track set 100 state down
action 6.3   syslog msg "host1 is not 1.1.1.1, new ip is $_ip"
action 6.9 end
action 7.0 end
Basically we are using a stub tracking object to maintain state. Track object 100 would be up if we know host1=1.1.1.1, but if we detect it is something else we change it to down. Only after we detect that host1=1.1.1.1 again we change the track object back to up, which would enabled detecting another change...
Any actions you want to take should go into section "6" and any clean up (when host1=1.1.1.1 again) has to go into section "4".
It is possible to make this detect any change and not just have a static 1.1.1.1 value by assigning the newly detected value to a variable and basically look for a change... Not sure what is your requirement.
The output below shows how this works...
Router#show run | inc ip host
ip host host1 1.1.1.1
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip hos
Router(config)#ip host host1 2.2.2.2
Router(config)#^Z
Router#
*Nov 9 18:23:18.009: %TRACKING-5-STATE: 100 stub   Up->Down
*Nov 9 18:23:18.021: %HA_EM-6-LOG: HOST1-NOT-1.1.1.1: host1 is not 1.1.1.1, new ip is 2.2.2.2
Router#
*Nov 9 18:23:18.065: %SYS-5-CONFIG_I: Configured from console by console
Router#
Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip host host1 1.1.1.1
Router(config)#^Z
Router#
*Nov 9 18:23:42.805: %SYS-5-CONFIG_I: Configured from console by console
Router#
*Nov 9 18:24:18.025: %TRACKING-5-STATE: 100 stub   Down->Up
Router#
*Nov 9 18:24:18.033: %HA_EM-6-LOG: HOST1-NOT-1.1.1.1: host1 is now 1.1.1.1 again

Event manager script not working as expected

On a Cisco 4900M running Version 12.2(53)SG1, trying to capture certain information requested by Cisco TAC to troubleshoot periodic high cpu usage on the device causing it to momentarily not respond to HSRP packets from the HSRP partner.
This is the script in place today:
event manager applet capture_cpu_spike
event snmp oid 1.3.6.1.4.1.9.2.1.56 get-type next entry-op ge entry-val "80" exit-time 10 poll-interval 1
action 1.0 syslog msg "CPU Utilization is high"
action 2.0 cli command "en"
action 3.0 cli command "show proc cpu sort | redirect bootflash:cpuinfo1.txt"
action 3.1 cli command "show int summ | redirect bootflash:cpuinfo2.txt"
action 3.2 cli command "show proc cpu sort | redirect bootflash:cpuinfo3.txt"
action 3.3 cli command "show int summ | redirect bootflash:cpuinfo4.txt"
action 3.4 cli command "show platform cpu packet statistics | redirect bootflash:cpuinfo5.txt"
action 3.5 cli command "show platform health | redirect bootflash:cpuinfo6.txt"
action 4.0 cli command "end"
Problem is, when the cpu does spike, only action 3.1 is executed.
How do I modify this script to run all the commands listed?
TIA
dom

Let me first explain why your script is not working for you.
Basically, the problem you encounter is a result of a common misconception about copyin(). It is intended to be used to copy content of userspace memory into a scratch buffer so that it can be accessed directly from within kernel space (where the DTrace core executes). That said, it is often interpreted as somehow being equivalent to malloc() whereas in reality it actually works like alloca() instead. So, what you are seeing is basically the artefact of the scratch buffer being overwritten with other data. And unfortunately, that is perfectly legal.
The content of the scratch buffer pointed to by self->addr in your script is only valid for as long as the specific probe enabling is executing (it is clause-local). So, your clauses to print out the actual bytes in the buffer are looking at a buffer that is for all intends and purposes no longer reserved, and therefore you are looking at it after other data was written to the scratch space.
So... in order for this to work, you should do things a bit different. Rather than trying to get a copy of the buffer in one clause, and then read from it in following clauses, you can simply collect the buffer address in the entry read:entry clause, get the number of bytes read in the first read:return clause, and then for every clause in which you print 4 bytes do the following (example for bytes 4-7):
syscall::read:return
/execname == "foobar" && self->nbytes > 4/
this->addr = (char *)copyin((uintptr_t)self->bufferaddr + 4, 4);
printf(" 4- 7: %02x %02x %02x %02x\n", this->addr[0], this->addr[1], this->addr[2], this->addr[3]);
So basically, for every clause that print 4 bytes you copyin those bytes, and then print them out.

Changing port configuration with Event Manager

Hello,
I'm trying to change the configuration of a port when the port goes down with EEM.
So when an flex connect access-point is disconnected the port becomes an access-port.
I don't want to use the MAC address.
Does anyone has experience with this.
Below is the applet I'm using.
Thanks in advanced,
Michel
event manager applet CONFIG-ACCESS-PORT
event neighbor-discovery interface regexp "(FastEthernet[0-9]\/[0-9]+)" cdp delete
action 100 regexp "(AIR-LAP)" "$_nd_cdp_platform" value
action 110 if $_regexp_result eq "1"
action 200 cli command "enable"
action 210 cli command "config t"
action 220 cli command "interface $_nd_local_intf_name"
action 240 cli command "switchport mode access"
action 250 cli command "switchport access vlan 20"
action 260 cli command "no switchport trunk encapsulation dot1q"
action 270 cli command "no switchport trunk native vlan 88"
action 280 cli command "no switchport trunk allowed vlan 88,100"
action 290 cli command "spanning-tree portfast"
action 400 syslog msg "EXECUTED EEM APPLET FOR ACCESS-PORT interface $_nd_local_intf_name"
action 500 cli command "end"
action 510 cli command "copy run start"

Hi Evan,
For sure! There is a really good example on the configuration guide, and assciated caveats.
http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_0100011.html
Benefits for using LAG is increased bandwidth, and redundancy - especially if you have the two (or more in the case of a 5508 WLC) ports connected to different physical switches, eg a 3750 stack.
Best,
Evan

Event in Cisco Unified Operations Manager makes no sense

Hi
The ennvironement is as follows:
3 CCM 4.x Cluster and lot of h323 Gateways. All is controlled by a gatekeeper.
For monitoring purposes I'm running a Cisco Unified Operations Manager 2.0.2. From a h323 gateway I recieve an event, that there happend packet loss and that the MOS was below the critical MOS threshold. As destination I see another h323 gateway in the same cluster. What does this mean? For me there is never voice between these 2 gateways. For me this event makes no sense. On the gateways everything looks fine, there are no drops or errors neither on the interface nor on the service-policy.
Any idea why it's generating this event?
Regards
Peter

Hi Peter,
I think it would be best if you could get a packet capture (at the point of the 1040 sensor) during the times of one of these low MOS scores and then open a TAC case. The TAC engineer will need to contact the 1040 sensor developers to understand how exactly they are calculating packet loss and the packet capture will help greatly in finding the root cause. There are two components to packet loss for a 1040 sensor.
1) Actual network packet loss (i.e. based on missing sequence numbers).
2) Packets lost in the jitter buffer emulation (packet discards). This will
count as a packet loss for any packet that arrives 20ms past its expected
arrival time OR any "out of order" packet. Since the packets for a G711 are
sent at a 20ms rate, a packet which is delayed 20ms may arrive out of order and
be counted as lost.
Sri

Cisco embedded event manager applet

Similar Messages

Maybe you are looking for