Tcl script help -- include interface description in status message

Similar Messages

• Including Interface Description in Cisco PRime Infrastructure Alarm Message

  Hi all,
  i succesfully configured a Cisco Prime Infrastructure 2.1 applliance to display an alarm and to send me an e-mail when switch uplink ports goes down.
  The text displayed in alarm message is :
  port 'interface_id' is down on device 'device_ip_address'
  I'd like to include in this text also the interface description so the text will display :
  port 'interface_id'  'interface_descriprion' is down on device 'device_ip_address' 
  Is this possible?
  Thankyou in advance

  Hi,
  i followed these steps :
  SWITCH SIDE
  - configured Prime Infrastructure as snmp-server host;
  - enabled snmp-traps for linkup and linkdown events globally;
  - disabled snmp-traps for linkup and linkdown on non relevant interfaces using the no snmp trap link-status command
  PRIME INFRASTRUCTURE SIDE
  - under "Deploy/Monitor Deployment" i deployed template "Interface Health"  for all the interested switches
  -  under "Administration/System Settings/Mail Server Configuration" configured my internal SMTP server to make Prime Infrastructure able to send e-mails
  - under "Operate/Alarms & Events" click on "Email Notifications" , then on "Switches and Hubs"
     - check the "critical" box ,  insert the destination e-mail address into the "To" field then click "Save"
   -  check the "switches and Hubs" box and then click Save
  As i know is possible to avoid to configure every single not-interesting port on the switches with "no snmp trap link-status" command (it's a bit annoying when you have tens of switches), using Port Grouping configuration on PI but i tried it without success.
  Hope this helps.
  Best Regards,

• EEM / Tcl Script Help Please

  Hello Community,
  I have been evaluating a Tcl Script posted here sometime ago, designed to help monitor track interfaces and routes, see attached.
  I believe I have applied the configurations correctly, however when I test the script by shutting down interfaces nothing happens.
  I'm sure its something very simple that I'm missing.
  I wonder if someone could take a look at the configs and let me know what I'm doing wrong. I have also attached a diagram.
  Cheers
  Carlton

  Joseph,
  I did read again and I got it to work :-)
  Cheers
  On a slightly different topic, is it possible to 'track' a static ip address?
  For example, I have the following tracking configured:
  track 1 ip route 0.0.0.0 0.0.0.0 reachability
  track 2 interface FastEthernet0/0 ip routing
  track 3 interface FastEthernet0/1 ip routing
  track 4 ip route 180.80.8.4 255.255.255.255 reachability
  track 5 ip route 170.70.7.4 255.255.255.255 reachability
  R3#show track brie
  Track   Object                         Parameter        Value
  1       ip route  0.0.0.0/0            reachability     Up (static)
  2       interface FastEthernet0/0      ip routing       Up
  3       interface FastEthernet0/1      ip routing       Up
  4       ip route  180.80.8.4/32        reachability     Down (no route)
  5       ip route  170.70.7.4/32        reachability     Down (no route)
  However, you will see that track 4 and 5 are down. This is because, although I can ping 180.80.8.4 and 170.70.7.4 the actual ip addresses don't appear in the routing table:
  Gateway of last resort is 0.0.0.0 to network 0.0.0.0
       170.70.0.0/24 is subnetted, 1 subnets
  C       170.70.7.0 is directly connected, FastEthernet0/0
       10.0.0.0/24 is subnetted, 1 subnets
  C       10.1.1.0 is directly connected, FastEthernet1/0
       180.80.0.0/24 is subnetted, 1 subnets
  C       180.80.8.0 is directly connected, FastEthernet0/1
       150.50.0.0/24 is subnetted, 1 subnets
  C       150.50.5.0 is directly connected, Ethernet2/0
  S*   0.0.0.0/0 is directly connected, FastEthernet1/0
  R3#
  Therefore, is there way of creating a track for /32 ip addresses?
  I hope that makes sense.
  Cheers

• TCL script help needed on Nexus7000 !

  Does anyone know how to create a TCL script on Nexus7000 switch for following scenario ? Need urgent help here.. :-
  Here is what I am trying to do :-
  1. Whenever following log on "show log log" prints out :-
  testnexus7000 %PIXM-2-PIXM_SYSLOG_MESSAGE_TYPE_CRIT:
  2. Print out the output of show system internal pixm errors
  And look for following line :-
  [102] pixm_send_msg_mcast(1208): MTS Send to LC X failed >> where X is 0 based
  and this error can occur multiple times for different LCs too.
  4. Reload line card (s) X and syslog " task done"
  Regards
  Vijaya

  Hi,
  Vijaya I found same post on support cisco forums So people helped someone in same question !!!!!!
  Please read it ....
  https://supportforums.cisco.com/thread/2128886
  Yes plus if u can help me in ......Cisco ASA same security problem than that will be good for me .....I will contact u and will be great help for me if u help
  Hope that link help u .....
  Bye,

• EEM TCL script configuration issue

  Hi Experts,
  I need help with an EEM TCL script for the CRS platform that generates a SYSLOG message after the CPU reaches a threshold value and then stays over the threshold value for 15 minutes, I've already tryied several thing and the last TCL script that I tested generated the SYSLOG message when the CPU reaches the threshold but I can't seem to find any way to make it wait the 15 min over the threshold and then generate the message.
  My current script looks like this:
  ::cisco::eem::event_register_wdsysmon timewin 900 sub1 cpu_tot op ge val 70
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  array set event_details [event_reqinfo]
  action_syslog msg "sub1 is $event_details(sub1)"
  action_syslog msg "High CPU threshold value over 70%"
  puts ok
  I've tryied using the 'period' option for the 'cpu_tot' variable but the TCL script was'nt recognized and couldn't be registered, and I'm using the 'timewin' option here but it seems to be wrong as it says it's the time it has for multiple sub-events to ocurr in order for the script to execute.
  timewin
  (Optional) Time window within which all of the subevents have to occur in order for an event to be generated and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295 inclusive. MMM format must be an integer representing milliseconds between 0 and 999).
  Also, the 'period' option I believe wouldn't have worked because I understand that it referrs to the time period that the script will take to monitor the CPU:
  •1. cpu_tot [op gt|ge|eq|ne|lt|le] [val ?] [period ?]
  op
  (Optional) Comparison operator that is used to compare the collected total system CPU usage sample percentage with the specified percentage value. If true, an event is raised.
  val
  (Optional) Percentage value in which the average CPU usage during the sample period is compared.
  period
  (Optional) Time period for averaging the collection of samples and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295, inclusive. MMM format must be an integer representing milliseconds between 0 and 999. If this argument is not specified, the most recent sample is used.
  As I said, I couldn't try this because the script send an error when I tried to register using the following line:
  ::cisco::eem::event_register_wdsysmon sub1 cpu_tot op ge val 70 period 900
  This is the error message that appeared:
  RP/0/RP0/CPU0:CRS(config)#event manager policy test.tcl username cisco
  RP/0/RP0/CPU0:CRS(config)#commit
  Thu Aug 29 12:35:43.569 CDT
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RP0/CPU0:CRS(config)#sh conf fail
  Thu Aug 29 12:35:52.427 CDT
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  event manager policy test.tcl username cisco persist-time 3600
  !!% Embedded Event Manager configuration: failed to retrieve intermediate registration result for policy test.tcl
  end
  Anyway, to make this work I understand that I need nested TCL scripts that do the following:
  •1. Monitor the CPU and when it reaches the threshold install another TCL policy that counts down 15 min.
  •2. If the second TCL policy reaches zero then it should generate the SYSLOG message.
  •3. Monitor the CPU while this is running and if it falls below the threshold it should stop the second TCL policy.
  I don't know how I can acomplish this so if anyone can help me with this or show me another way to do this I would really appreciate it.
  Thanks in advance for all your help!

  Neither option is likely to do what you want.  The timewin is for correlating multiple events, and period is the polling interval.  What you want is to create a timer when the CPU is first detected as being high, countdown 15 minutes, then alert you.  You can do this with a nested EEM policy.  For example, you can add the following to your existing policy:
  proc get_pol_dir { fd } {
      set res {}
      set output [cli_exec $fd "show event manager directory user policy"]
      set output [string trim $output]
      regsub -all "\r\n" $output "\n" result
      set lines [split $result "\n"]
      foreach line $lines {
          if { $line == "" } {
              continue
          if { ! [regexp {\s} $line] && ! [regexp {#$} $line] } {
              set res $line
              break
      if { $res == {} } {
          return -code error "The user policy directory has not been configured"
      return $res
  if { [catch {cli_open} result] } {
      error $result $errorInfo
  array set cli $result
  set output [cli_exec $cli(fd) "show event manager policy registered | inc tm_alert_high_cpu.tcl"]
  if { [regexp {tm_alert_high_cpu.tcl} $output] } {
      exit 0
  set poldir [get_pol_dir $cli(fd)]
  set polname "${poldir}/tm_alert_high_cpu.tcl"
  set fd [open $polname "w"]
  puts $fd "::cisco::eem::event_register_timer countdown time 900"
  puts $fd "namespace import ::cisco::eem::*"
  puts $fd "namespace import ::cisco::lib::*"
  puts $fd "action_syslog msg \"CPU has been over 70% for 15 minutes\""
  close $fd
  cli_exec $cli(fd) "config t"
  cli_exec $cli(fd) "event manager policy tm_lert_high_cpu.tcl username eem"
  cli_exec $cli(fd) "commit"
  cli_exec $cli(fd) "end"
  catch {cli_close $cli(fd) $cli(tty_id)}
  Additionally, you'll want another permanently configured policy that checks for a low CPU threshold.  Something like:
  ::cisco::eem::event_register_wdsysmon sub1 cpu_tot op le val 10
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  if { [catch {cli_open} result] } {
      error $result $errorInfo
  array set cli $result
  cli_exec $cli(fd) "config t"
  cli_exec $cli(fd) "no event manager policy tm_alert_high_cpu.tcl"
  cli_exec $cli(fd) "commit"
  cli_exec $cli(fd) "end"
  catch {cli_close $cli(fd) $cli(tty_id)}

• EEM-TCL Script to switch config from interface X to interface Y

  Hello Guys,
  I’m trying to create a script which is controlled by an EEM-UPDOWN event of an interface. What I’m trying to do is, if interface X is down for some reason it should copy the interface configuration to interface Y.
  So my problem is I’m very new to eem-tcl scripting and I have some basic problem hopefully u can help me =) I’m working on a ASR9K !
  So what i have done so fare:
  ::cisco::eem::event_register_syslog occurs 1 pattern ".*CHANGED.*$_sat_1_link_1.*" maxrun 90   
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  array set arr_einfo [event_reqinfo]
  if {$_cerrno != 0} {
      set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \
        $_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
      error $result
  if [catch {cli_open} result] {
      error $result $errorInfo
  } else {
      array set cli1 $result
  action_syslog priority emergencies msg "start script testv1_1"
  #puts "\nEXECUTE CLI COMAND :\n"
  set out {cli_exec $cli1(fd) "show running-config formal interface $_sat_1_link_1"}
  set xout [split $out \n]
  #puts "DEBUG : $xout \n\n"
  set anz [llength $xout]
  #puts "DEBUG : count rows = $anz \n\n"
  for {set ii "0"}  {$ii < $anz } {incr ii} {
         set indexout [lindex $out $ii]
      regexp  {([\w]+)[ ]([\w\d/]+)\s(.*)} $indexout a b c d
      #puts "\nDEBUG START"
      #puts "\nindex Nr  $ii"
      #puts "Full Match: $a"
      #puts "Sub Match1: $b"
      #puts "Sub Match2: $c"
      #puts "Sub Match3: $d"
      #puts "DEBUG END\n"
      set intsrc {cli_exec $cli1(fd) "no $b $_sat_1_link_1 $d"}
      set intdest {cli_exec $cli1(fd) "$b $_sat_1_link_2 $d"}
  if [catch {cli_exec $cli1(fd) "commit"} result] {
      error $result $errorInfo
  if [catch {cli_exec $cli1(fd) "end"} result] {
      error $result $errorInfo
  action_syslog priority emergencies msg "End script testv1_1"
  ps. $_sat_1_link_1 and $_sat_1_link_2 are globaly set per cli in the event manager env.
  Thanks for your help and hopefully u can help me with this script

  Hey
  after show running-config formal interface TenGigE 0/0/2/1 the cli output example is :
  interface TenGigE0/0/2/1 description Test: 0-43
  interface TenGigE0/0/2/1
  interface TenGigE0/0/2/1 shutdown
  and now i want to split the config with my regex
  regexp  {([\w]+)[ ]([\w\d/]+)\s(.*)} $indexout a b c d
  As example line 1
  set x= "TenGigE0/0/2/2"                  --> =dest_interface
  a= interface TenGigE0/0/2/1 description Test: 0-43
  b= interface
  c= TenGigE0/0/2/1
  d= description Test: 0-43
  do this
  cli_exec $cli1(fd) "no $b $c $d"      --->no interface TenGig E0/0/2/1 description Test: 0-43
  cli_exec $cli1(fd) " $b $x $d"          ---> interface TenGigE0/0/2/2 description Test: 0-43
  and from this point it shoud do this until there are no config lines  =)
  as a final result is should copy the whole config from interface X to interface Y  if the trigger is active
  but as i see, the main problem is to get the CLI output in a format like this
  set xy = interface TenGigE0/0/2/1 description Test: 0-43\ninterface TenGigE0/0/2/1\ninterface TenGigE0/0/2/1 shutdown
  or in an index like this:
  Index | command
  1         interface TenGigE0/0/2/1 description Test: 0-43
  2         interface TenGigE0/0/2/1
  3         interface TenGigE0/0/2/1 shutdown
  Thx

• Setting the source-interface in a tcl script for email.

  So once again I am trying to figure this out and failing miserably. The only thin I can think of at the moment is that I need to tell it to source from a specific vrf interface. I've tried looking through possible enviornment variables. Hoping I could set it that way but have yet to find one. I have read varios settings for source-interface and attempted them. But fail every time with:
  vpn_failure.tcl: smtp_send_email: error connecting to mail server:
  EEM Version:
  sho event manager version
  Embedded Event Manager Version 4.00
  Component Versions:
  eem: (rel4)1.0.4
  eem-gold: (rel1)1.0.2
  eem-call-home: (rel2)1.0.0
  Below is the stock format for sending the email from the script. If someone could guide me in the correct way to set this up to source the interface that would be awesome.
  # create mail form
    action_syslog msg "Creating mail header for vpn_failure.tcl script..."
    set body [format "Mailservername: %s" "$_email_server"]
    set body [format "%s\nFrom: %s" "$body" "$_email_from"]
    set body [format "%s\nTo: %s" "$body" "$_email_to"]
    set _email_cc ""
    set body [format "%s\nCc: %s" "$body" ""]
    set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
    set body [format "%s\n%s" "$body" "Report Summary:"]
    set body [format "%s\n%s" "$body" "   - syslog message"]
    set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
    set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
    set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
    set body [format "%s\n%s" "$body" "   - show crypto session detail"]
    set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
    set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
    set body [format "%s\n%s" "$body" "   - show log"]
    set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
    set body [format "%s\n%s" "$body" "$syslog_msg"]
    set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
    set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_route"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
    set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
    set body [format "%s\n\n%s" "$body" "$show_log"]
    if [catch {smtp_send_email $body} result] {
      action_syslog msg "smtp_send_email: $result"

  I got this far, saw the MAXRUN error, bumped that out and then turned on debugging. I am still not connecting to the mail server. So I don't think I am reaching the mail server yet. I don't think it is using the sourceinterface. In debugging everyting in the script works except for the mail portion.
  Jul 29 16:01:00.334: %HA_EM-6-LOG: vpn_failure.tcl: Creating mail header for vpn_failure.tcl script...
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     while executing
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "action_syslog msg "smtp_send_email: $result""
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "$slave eval $Contents"
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (procedure "eval_script" line 7)
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "eval_script slave $scriptname"
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "if {$security_level == 1} {       #untrusted script
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp create -safe slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdin slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdout slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: ..."
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
  Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Tcl policy execute failed:
  Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
  Debugging On:
  Jul 29 16:28:51.471: [fh_smtp_debug_cmd]
  Jul 29 16:28:51.472: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 2
  Jul 29 16:29:24.473: [fh_smtp_debug_cmd]
  Jul 29 16:29:24.473: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 3
  Jul 29 16:29:57.475: [fh_smtp_debug_cmd]
  Jul 29 16:29:57.475: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 4
  Jul 29 16:30:30.478: [fh_smtp_debug_cmd]
  Jul 29 16:30:30.479: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 5
  Jul 29 16:31:00.482: %HA_EM-6-LOG: vpn_failure.tcl: smtp_send_email: error connecting to mail server:
  cannot connect to all the candidate mail servers
  Jul 29 16:31:00.483: %HA_EM-6-LOG: vpn_failure.tcl: vpn_failure.tcl script completed
  event manager environment _email_server 10.79.1.126
  event manager environment _email_from [email protected]
  event manager environment _email_to [email protected]
  interface Port-channel1.101
  description MGMT-1
  encapsulation dot1Q 101
  vrf forwarding MGMT-1
  ip address 10.79.1.252 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  redundancy rii 101
  redundancy group 2 ip 10.79.1.254 exclusive decrement 10
  end
  #----------------------- send mail ----------------------
  # create mail form
    action_syslog msg "Creating mail header for vpn_failure.tcl script..."
    set body [format "Mailservername: %s" "$_email_server"]
    set body [format "%s\nFrom: %s" "$body" "$_email_from"]
    set body [format "%s\nTo: %s" "$body" "$_email_to"]
    set _email_cc ""
    set body [format "%s\nCc: %s" "$body" "[email protected]"]
    set body [format "%s\nSourceintf: %s" "$body" "port-channel1.101"]
    set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
    set body [format "%s\n%s" "$body" "Report Summary:"]
    set body [format "%s\n%s" "$body" "   - syslog message"]
    set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
    set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
    set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
    set body [format "%s\n%s" "$body" "   - show crypto session detail"]
    set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
    set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
    set body [format "%s\n%s" "$body" "   - show log"]
    set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
    set body [format "%s\n%s" "$body" "$syslog_msg"]
    set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
    set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_route"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
    set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
    set body [format "%s\n\n%s" "$body" "$show_log"]
    if [catch {smtp_send_email $body} result] {
      action_syslog msg "smtp_send_email: $result"
    action_syslog msg "vpn_failure.tcl script completed"
  #------------------ end of send mail --------------------

• Tcl script to shut and no shut interface

  Hi, I have problem with DMVPN I tried some configurations but any works.
  The problem is that tunnel with ipsec protection does not support keepalives I have one hub and one spoke the spoke has two interfaces with dynamic ip and the hub has one interface with static ip the two devices have two tunnels gre. The spoke has track to the source and backup comand on tunnels one active and one for backup the problem is when the active tunnel is down (only protocol it is in this way coz the source is down down)the other tunnel comes up and its ok everything is working but when the tunnel active comes back the vpn does not come up until the tunnel is shutdown and not shutdown by manual way. I like to know if is possible to shut and no shut the tunnel when the source comes back with tcl script. (And if is possible that you help me to do the script).
  Thanks in advance.

  Ok thanks everybody jaja it`s done. Solution cryto maps on interfaces and do not put tunnel ipsec protected on the tunnel interface on the hub.
  DOC. DMVPN DUAL TIER ARCHITECTURE

• Tcl Ping Script Help

  Hello Community,
  I'm currently getting assistance from Joseph and Mike on another ping script.
  In the meantime, I have come across the attached Tcl Ping script that might help. However, each time I attempt to run the script from the command line as such
  event manager run pingall5.tcl
  I get the following error message
  MX-IPS1#eve man run pingall5.tcl
  invalid command name "ping"
      while executing
  "ping $address"
      ("foreach" body line 1)
      invoked from within
  "foreach address {
  10.36.36.225
  183.19.28.8
  150.19.2.2
  183.19.28.2
  183.19.123.2} { ping $address
      invoked from within
  "$slave eval $Contents"
      (procedure "eval_script" line 7)
      invoked from within
  "eval_script slave $scriptname"
      invoked from within
  "if {$security_level == 1} {       #untrusted script
       interp create -safe slave
       interp share {} stdin slave
       interp share {} stdout slave
      (file "tmpsys:/lib/tcl/base.tcl" line 50)
  Tcl policy execute failed: invalid command name "ping"
  So I tried another tcl script called pingall8, but it simply won't get applied to the router.
  I have attached both scripts.
  You're assistance will be greatly appreciated.
  Cheers
  Carlton

  You can execute the policy with event manager run" command and that is running eem manually rather than having it trigger from some event.   Attached is a EEM policy that will ping each IP addresses and print it to the screen.
  CISCO1941_WAASX#event manager run pinger.tcl
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.223.3, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
  CISCO1941_WAASX#
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.223.126, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
  CISCO1941_WAASX#
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.223.2, timeout is 2 seconds:
  Success rate is 0 percent (0/5)
  CISCO1941_WAASX#

• Help with tcl script with labview

  I am trying to run a program using tcl script via labview.
  Currently I am using wish80 tcl to run it. And it works fine.
  I tried using example I found on NI website called Run Tcl Script.vi
  I will attach the vi and the tcl file. Hope someone will have a idea what I am doing wrong.
  Thanks
  please change the testpairs2.txt to testpairs2.tcl as it is not letting me attach as tcl.
  Attachments:
  Run Tcl Script1.vi ‏27 KB
  testpairs2.txt ‏1 KB

  Hi randyram,
  try the referenced labview example with your parameters. I guess there are some changes on the OS. (actual OS with LV6.1 to XP) :-)
  LabView Online Help:
  "Refer to the Calling System Exec VI in the labview\examples\comm directory for an example of using the System Exec VI."
  Mike

• TCL scripting

  st1\:*{behavior:url(#ieooui) }
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Network Scenario:
  We have a Client-Server enterprise network, and nature of servers is to broadcast some stats/info to all the clients.
  We are using two 6509-E at core with HSRP to provide the redundancy for servers. I have attached the network layout (not the real one) with some description with this thread. On both switches we have configured “ip helper-addresses” to forward the broadcast to multiple destinations(different VLANs). Every thing is working fine with respect to HSRP.
  Problem:
  Under normal circumstances, both ACTIVE and STANDBY hsrp switches generates broadcast which causing duplication of every broadcast packet and Client end receiving every packet twice. Cisco already claimed that standby switch will forward the broadcast. As an alternate TAC has advised to use the TCL script as a work around which we attempted to however no success at the end.
  Please let me know if some one can help me in modifying TCL script.
  ::cisco::eem::event_register_syslog occurs 1 pattern .*STANDBY.*STATECHANGE.* maxrun 90
  # EEM policy used to detect an HSRP state change. Once change is detected, analize the
  # type of change and modify the configuration about helper address.
  # The script looks for the DHCP server ip address in dhcp_server environment variable
  # and adds or removes the command 'ip helper-address dhcp_server' to the interface on
  # which HSRP status has changed.
  # April 2006, Cisco Europe & Emerging TME Team
  # Copyright (c) 2006 by cisco Systems, Inc.
  # All rights reserved.
  ### The script uses the following environment variables:
  #   $dhcp_server - ip address of the DCHP server in four octect dotted notation
  # 1. check if all the env variables we need exist and if not abort
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  if {![info exists dhcp_server]} {
      set result "EEM Policy Error: variable dhcp_server has not been set"
      error $result $errorInfo
  # 2. Local procedure for CLI show commands
  # Pass a list of cli commands and it returns a list of outputs
  proc CLICmdProc {cmds} {
      if [catch {cli_open} result] {
          error $result $errorInfo
      } else {
          array set cli1 $result
      if [catch {cli_exec $cli1(fd) "enable"} result] {
          error $result $errorInfo
      foreach a_cmd $cmds {
          if [catch {cli_exec $cli1(fd) $a_cmd} result] {
              error $result $errorInfo
          } else {
              lappend cmd_output $result
      if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
          error $result $errorInfo
      return $cmd_output
  # 3. Local procedure for CLI configuration commands
  # Pass a list of cli commands
  proc CLICfgProc {cmds} {
      if [catch {cli_open} result] {
          error $result $errorInfo
      } else {
          array set cli1 $result
      if [catch {cli_exec $cli1(fd) "enable"} result] {
          error $result $errorInfo
      if [catch {cli_exec $cli1(fd) "config terminal"} result] {
          error $result $errorInfo
      foreach a_cmd $cmds {
          if [catch {cli_exec $cli1(fd) $a_cmd} result] {
              error $result $errorInfo
          } else {
              set cmd_output $result
      if [catch {cli_exec $cli1(fd) "end"} result] {
          error $result $errorInfo
      if [catch {cli_exec $cli1(fd) "write mem"} result] {
          error $result $errorInfo
      if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
          error $result $errorInfo
  # 4. query the information of latest triggered eem event
  array set arr_einfo [event_reqinfo]
  if {$_cerrno != 0} {
      set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \
          $_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
      error $result
  set msg $arr_einfo(msg)
  # 5. we save the interface which triggered the event in interface
  regexp {(Vlan[0-9]{1,4}).*-> ([A-Z,a-z]*$)} $msg result interface action
  if {$action == "Active"} {
                lappend clicmd "interface $interface"
                lappend clicmd "ip helper-address $dhcp_server"
  if {$action != "Active"} {
                lappend clicmd "interface $interface"
                lappend clicmd "no ip helper-address $dhcp_server"
  set cliout [CLICfgProc $clicmd]
  action_syslog msg "Updating the configuration of interface $interface"

  Try this version.  You will need to first set an environment variable, dhcp_servers to be a comma separated list of IP addresses (i.e. the helper addresses) to configure/unconfigure.  For example:
  event manager environment dhcp_servers 192.168.10.255,192.168.12.255,192.168.14.255

• Looking for ACE Probe TCL script specific for LDAPS

  Hello Everyone,
  I have searched the forum, and i am having difficulty finding an example of how to modify the LDAP TCL probe from port 389 to secure LDAP port 636.
  Could someone kindly point me or provide me the modified TCL script if you happen to have it.
  During my search I also found a config that someone had provided, which contained the following probe:
  probe tcp LDAPS_Probe
    port 636
  probe tcp LDAP_Probe
    port 389
  I was trying to figure out if this a modified TCL script for LDAP or modifed TCP TCL script specific for port 636.
  This is how I applied the script for LDAP port 389.
  script file 1 LDAP_PROBE
  probe scripted LDAP_PROBE_389
  interval 5
  passdetect interval 30
  receive 5
  script LDAP_PROBE
  serverfarm host SF-LDAP-389
  description SF LDAP Port 389
  predictor leastconns
  probe LDAP_PROBE_389
  rserver LDAP-RS1-389
  inservice
  I will be more than glad to provide you any additional information that you need.
  As always thanks for your input.
  Raman Azizian
  SAIC/NISN Network services

  normally you would engage a TCL developer or ciso advanced services to develop a custom script for anything other than what Cisco provides in canned scripts. If you are comfortable with tcl you can do it yourself. Here is an example of the LDAP script modified to include initiation via ssl.  default port is 389 when you implement you would specify 636.
  #!name = LDAP_PROBE
  # Description:
  #    LDAP_PROBE opens a TCP connection to an LDAP server, sends a bind request. and
  #    determines whether the bind request succeeds.  LDAP_PROBE then closes the
  #    connection with a TCP RST.
  #    If a port is specified in the "probe scripted" configuration, the script probes
  #     each suspect on that port. If no port is specified, the default LDAP port 389
  #     is used.
  # Success:
  #   The script succeeds if the server returns a bind response indicating success
  #    (status code 0x0a0100) to the bind request.
  #   The script closes the TCP connection with a RST following a successful attempt.
  # Failure:
  #   The script fails due to timeout if the response is not returned.  This
  #    includes a failure to receive ARP resolution, a failure to create a TCP connection
  #    to the port, or a failure to return a response to the LDAP bind request.
  #   The script also fails if the server bind response does not indicate success.
  #    This specific error returns the 30002 error code.
  #   The script closes any attempted TCP connection, successful or not, with a RST.
  #  PLEASE NOTE:  This script expects the server LDAP bind response to specify length
  #   in ASN.1 short definite form.  Responses using other length forms (e.g., long
  #   definite length form) will require script modification to achieve success.
  # SCRIPT version: 1.0       April 1, 2008
  # Parameters:
  #   [DEBUG]
  #      username - user login name
  #      password - password
  #      DEBUG        - optional key word 'DEBUG'. default is off
  #         Do not enable this flag while multiple probe suspects are configured for this
  #         script.
  # Example config :
  #   probe scripted USE_LDAP_PROBE
  #         script LDAP_PROBE
  #   Values configured in the "probe scripted" configuration populate the
  #   scriptprobe_env array.  These may be accessed or manipulated if desired.
  # Documentation:
  #    A detailed discussion of the use of scripts on the ACE is included in
  #       "Using Toolkit Command Language (TCL) Scripts with the ACE"
  #    in the "Load-Balancing Configuration Guide" section of the ACE documentation set.
  # Copyright (c) 2005-2008 by Cisco Systems, Inc.
  # debug procedure
  # set the EXIT_MSG environment variable to help debug
  # also print the debug message when debug flag is on
  proc ace_debug { msg } {
      global debug ip port EXIT_MSG
      set EXIT_MSG $msg
      if { [ info exists ip ] && [ info exists port ] } {
       set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
      if { [ info exists debug ] && $debug } {
       puts $EXIT_MSG
  # main
  # parse cmd line args and initialize variables
  ## set debug value
  set debug 0
  if { [ regsub -nocase "DEBUG" $argv "" argv] } {
      set debug 1
  ace_debug "initializing variable"
  set EXIT_MSG "Error config:  script LDAP_PROBE \[DEBUG\]"
  set ip $scriptprobe_env(realIP)
  set port $scriptprobe_env(realPort)
  # if port is zero the use well known ldap port 389
  if { $port == 0 } {
      set port 389
  # PROBE START
  # open connection
  ace_debug "opening socket"
  set sock [  socket -sslversion all -sslcipher RSA_WITH_RC4_128_MD5 $ip $port ]
  fconfigure $sock -buffering line -translation binary
  # send a standard anonymous bind request
  ace_debug "sending ldap bind request"
  puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
  flush $sock
  #  read string back from server
  ace_debug "receiving ldap bind result"
  set line [read $sock 14]
  binary scan $line H* res
  binary scan $line @7H6 code
  ace_debug "received $res with code $code"
  #  close connection
  ace_debug "closing socket"
  close $sock
  #  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
  if {  $code != "0a0100" } {
      ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
      exit 30002
  ## make probe success by exit with 30001
  ace_debug "probe success"
  exit 30001

• Using EEM and TCL scripts for voice

  HI all,
  I'd like to use eem to check Sip dial-peer status+interface BRI status, when sip dial-peer has no answer to invite and bri interface is down the LAN interface must be shutted down. Is it possible to avhieve it using eem? I didn't find anything for eem monitoring sip dial-peers...
  thanks
  Massimiliano

  EEM doesn't have any ability to control the data plane currently.  Therefore, there is no direct voice tie-in.  There is a way to do Tcl scripting of some voice operations (e.g. IVR scripts), but those do not relate to EEM.
  That said, if there are some show commands which provide you the data you need, you can create an EEM timer policy (i.e. one that runs periodically), parsers the show command output, and takes further action if the output contains certain patterns.  Depending on the version of IOS, this may require an EEM Tcl script, or you may be able to do it within an EEM applet.
  If you need further assistance, you will need to provide your IOS version, and the exact commands (and output) which would tell you if the SIP peer isn't getting an answer and the BRI interface is truly down (I'm imagining something like "show isdn status" for this one).
  Please support CSC Helps Haiti
  https://supportforums.cisco.com/docs/DOC-8895
  https://supportforums.cisco.com

• Running a TCL script through EEM every 60 seconds

  I have a script written in the TCLSH of IOS, I can test this script from the shell using the following commands
  LAB-RTR#tclsh
  LAB-RTR(tcl)#source flash:test.tcl
   NO CALLS
  Is there a way I can run this test.tcl script every 60 seconds on the router.
  SCRIPT test.tcl
  proc get_ints {} {
  set syslog [open "syslog:" w+]
  #puts "BEFORE\n"
  set check ""
  set int_out [ exec "show voice call status\n" ]
  #puts "INTOUT $int_out\n"
  set mylist [regexp -nocase -line -inline {(^([0-9]*|No) active calls? found)} $int_out]
  #puts "MYLIST $mylist\n"
  foreach int $mylist {
   #puts "INT $int\n"
   if {$int == "No"} {
    puts " NO CALLS\n";
    puts $syslog "NO CALLS"
   } elseif {[string is integer -strict $int]} {
    puts "$int CALLS\n";
    puts $syslog "$int CALLS"
   } else {
    #puts "GARBAGE\n";
  close $syslog
  #puts ""
  puts [eval get_ints]

  Hey Joseph, Thanks for all your help. I have one last question, so now that I am running my script every 60 seconds if there is an issue I send multiple traps to our monitoring system. Is there any way you can keep track if the trap was already sent I will not send another trap again.
  One way I can think of is using a loopback interface. But I would prefer not shutting down the loopback interface just to keep track of what my script is doing.
  IF issue {
     IF Loop1 is up {
              don't send trap
      } ELSE {
              bring Loop1 up
              Send Trap
   } ELSE (No issue) {
     shutdown Loop1

• Alert Parameters to Get Interface Description (i.e. Something Meaningful to Network Admins)

  Hi All,
  We have recently deployed OpsMgr 2012 R2 inparallel to our legacy 2007 environment.
  For network device monitoring in the 2007 environment we used the xSNMP Management Pack on top-of the native capabilities.
  On of the positive aspects of the 2007 set-up was that we were able to leverage the xSNMP Management Packs ability to expose the interface alias/description which our Network admins populate to identify the connection/purpose of an interface within the SMS
  Channel format.
  Basically, the Network Admins would give me a list of critical interfaces and using the combination of Path and Alias/Description I would be able to confidently enable interface monitoring and alerting for those interfaces.
  In 2012, however, all that has been changed.  Now, interfaces are identified by an Interface Name value that is not really meaningful or relevant to the way our Network Admins work.  Wjat I also find problematic is the way that interfaces seem
  to have been divorced from the the source device in such a way that the default email alert format doesn't even include the Path (source device) on which the interface generating the alert is associated with.  This is even the case when trying to create
  a custom monitored interfaces State view in that the Path column is populated by the MAC address rather than with the host device that the interface is on which is what really matters.  Who deals in MAC addresses?
  What we require is a way to expose the host device and Interface Description and Alias  values as part of an SMS/email alert as that is crucial information that an on-call engineer being woken-up at 2:00 AM needs to know rather than scratching
  their head with some guff about IF-20 without even the parent device of that interface given so that they can at least know what device to log-on to manually try and identify which interface connection/service  is down even though they should not have
  to do that.
  I have already tried to customize the SMS Channel format from its default format to the following:
  State: $Data[Default='Not Present']/Context/DataItem/ResolutionStateName$ $Data/Context/DataItem/ManagedEntityFullName$ $Data/Context/DataItem/AlertName$
  using the list of alert parameters from Kevin Holman's blog but even with the $Data/Context/DataItem/ManagedEntityFullName parameter the information is not satisfactory.
  For all the improvement in SNMP and network monitoring it seems that something that was actually good and useful in 2007 has now been lost because of the way interfaces/ports  have been divorced from the parent Managed Network Node device.
  Can anyone advise how I might be able to get sensible interface alerts in my email and SMS notifications that provide the host router/switch Display Name, and the Interface Description and Alias of the Interface?
  Points given to all considered replies.
  Kind Regards,
  Michael

  Yeah, that's kind of a mess...
  You can create a workaround to change the name similar like that:
  http://www.vroege.biz/?p=746
  But it needs some authoring knowledge and must run every time after a network discovery. Since this means a class property change it is a performance consuming workflow and should not run top often.
  HTH, Patrick
  Please remember to click “Mark as Answer” on the post that helped you.
  Patrick Seidl (System Center and Private Cloud)
  Website: http://www.syliance.com
  Blog: http://www.systemcenterrocks.com