TCL script or applet to disable port based on reachability

Similar Messages

• L3 Switch script to shutdown a port based IP reachability

  Hello all,
  I would like to know if using EEM I can shutdown a Gigabit interface based on IP reachability of the remote neighbor via ping?
  And no shutdown when the IP reachability is reestablished? I'm Using IOS-XE
  I ask this because I've a L2 connection which is not directly end-to-end but it have some network component (DWDM) in the middle for signal regeneration.
  The provider of the DWDM circuit confirm that the signal is NOT end-to-end so in case there is a failure ine the circuit the interfaces of the L3 switches won't go down and the traffic is still routed on this path since on the Routing table he routes are still present also if the remote neighbor is not reachable
  should I Use the track with the event manager applet IOS commands???
  Many Thanks
  Saluti

  I would recommend looking at feature based capabilities before implementing things with EEM... This way it would be easier to support etc...
  The functionality you are asking for should be available on your platform (I assume you are on ASR1K as you are mentioning IOS-XE). You should look at BFD...
  Here are a few references:
  http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/xe-3s/irb-bi-fwd-det.html
  You mentioned static routes, so maybe this is also relevant:
  http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_bfd/configuration/xe-3s/irb-xe-3s-book_chapter_01000.html
  Arie

• Problem : tcl script for filter IPSec cosmetic log

  Hi all, I would like some advice from anyone who ever see this case. I applied tcl script for filter ipsec error log that log is cosmetic. But my site want to don't see this log from router log. I already create tcl script for filter it out. Ok script can work fine but it more work. It filter other message not just ipsec log out. I check cisco device that support script. How can I fix this problem.
  See my detail of script and ios version of router :
  script :
  # VPN_Error.tcl  This script deletes all log messages about VPN error messages
  # The script will filter by combination between facility-serverity and mnemonic      
  # Created on 05-Oct-2012.
  set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]
  set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"
  foreach msg $msgs {
      if { $msg == $fac_sev_mnem } {
      return ""
  return $::orig_msg
  ios router version :
  : c2800nm-adventerprisek9-mz.124-25f.bin
  : c2800nm-adventerprisek9-mz.124-7b.bin
  log information and configuration
  When I applied command:
  logging filter flash:VPN_Filter2.tcl
  logging buffered filtered 4096 debugging
  show log file:
  router#sh logg
  Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                  0 flushes, 0 overruns, xml disabled, filtering enabled)
      Console logging: level debugging, 18145 messages logged, xml disabled,
                       filtering disabled
      Monitor logging: level debugging, 428 messages logged, xml disabled,
                       filtering disabled
          Logging to: vty322(2)
      Buffer logging: level debugging, 0 messages logged, xml disabled,
                      filtering enabled (0 messages logged)
      Logging Exception size (4096 bytes)
      Count and timestamp logging messages: disabled
  Filter modules:
      flash:VPN_Filter2.tcl  
      Trap logging: level informational, 47011 message lines logged
          Logging to 10.145.0.25 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
          Logging to 10.247.17.41 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
          Logging to 10.247.17.45 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
  --More--                          
  Log Buffer (4096 bytes):
  router#
  If you have some more information. Please tell me.
  Thank you for your advice

  It looks like your script has an error.  You have an extra '}'.  It should be:
  # VPN_Error.tcl  This script deletes all log messages about VPN error messages# The script will filter by combination between facility-serverity and mnemonic       # Created on 05-Oct-2012.#set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"foreach msg $msgs {    if { $msg == $fac_sev_mnem } {        return ""    } } return $::orig_msg

• CSM TCL script or http checksum

  Hello,
  I need to do some HTTP keepalive based on the http page itself (no error code returned by the server).
  With the CSS we were able to do it because the css was doing a checksum of the http page. So when there was changes the service was considered to be down.
  I have not seen a similar option with the CSM so it is why I am looking for a tcl script that get the page and look for a regexp in it.
  I am having some trouble seeing the service up :( so I don't know if my script is good. I see that it is doing the http get on the server but it does not seem to succeed doing the regexp match...
  Here is my script :
  # !name = HTTP_TEST
  # get the IP address of the real server from a predefined global array csm_env
  set ip $csm_env(realIP)
  set port 80
  set url "GET /supervision/test.jsp"
  # Open a socket to the server. This creates a TCP connection to the real server
  set sock [socket $ip $port]
  fconfigure $sock -buffering none -eofchar {}
  # Send the get request as defined
  puts -nonewline $sock $url;
  # Wait for the response from the server and read that in variable line
  set line [ read $sock ]
  # Parse the response
  if { [ regexp "BD \+ SA OK.*\<BR\>Gateway OK.*\<BR\>Gateway2 OK" $line ] } {
  exit 5000
  } else {
  exit 5001
  And the regexp should be looking for :
  BD + SA OK
  <BR>Gateway OK
  <BR>Gateway2 OK
  any help is welcome !
  Thanks

  This URL should help you:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a75a7.html

• Setting the source-interface in a tcl script for email.

  So once again I am trying to figure this out and failing miserably. The only thin I can think of at the moment is that I need to tell it to source from a specific vrf interface. I've tried looking through possible enviornment variables. Hoping I could set it that way but have yet to find one. I have read varios settings for source-interface and attempted them. But fail every time with:
  vpn_failure.tcl: smtp_send_email: error connecting to mail server:
  EEM Version:
  sho event manager version
  Embedded Event Manager Version 4.00
  Component Versions:
  eem: (rel4)1.0.4
  eem-gold: (rel1)1.0.2
  eem-call-home: (rel2)1.0.0
  Below is the stock format for sending the email from the script. If someone could guide me in the correct way to set this up to source the interface that would be awesome.
  # create mail form
    action_syslog msg "Creating mail header for vpn_failure.tcl script..."
    set body [format "Mailservername: %s" "$_email_server"]
    set body [format "%s\nFrom: %s" "$body" "$_email_from"]
    set body [format "%s\nTo: %s" "$body" "$_email_to"]
    set _email_cc ""
    set body [format "%s\nCc: %s" "$body" ""]
    set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
    set body [format "%s\n%s" "$body" "Report Summary:"]
    set body [format "%s\n%s" "$body" "   - syslog message"]
    set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
    set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
    set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
    set body [format "%s\n%s" "$body" "   - show crypto session detail"]
    set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
    set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
    set body [format "%s\n%s" "$body" "   - show log"]
    set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
    set body [format "%s\n%s" "$body" "$syslog_msg"]
    set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
    set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_route"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
    set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
    set body [format "%s\n\n%s" "$body" "$show_log"]
    if [catch {smtp_send_email $body} result] {
      action_syslog msg "smtp_send_email: $result"

  I got this far, saw the MAXRUN error, bumped that out and then turned on debugging. I am still not connecting to the mail server. So I don't think I am reaching the mail server yet. I don't think it is using the sourceinterface. In debugging everyting in the script works except for the mail portion.
  Jul 29 16:01:00.334: %HA_EM-6-LOG: vpn_failure.tcl: Creating mail header for vpn_failure.tcl script...
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     while executing
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "action_syslog msg "smtp_send_email: $result""
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "$slave eval $Contents"
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (procedure "eval_script" line 7)
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "eval_script slave $scriptname"
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "if {$security_level == 1} {       #untrusted script
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp create -safe slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdin slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdout slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: ..."
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
  Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Tcl policy execute failed:
  Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
  Debugging On:
  Jul 29 16:28:51.471: [fh_smtp_debug_cmd]
  Jul 29 16:28:51.472: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 2
  Jul 29 16:29:24.473: [fh_smtp_debug_cmd]
  Jul 29 16:29:24.473: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 3
  Jul 29 16:29:57.475: [fh_smtp_debug_cmd]
  Jul 29 16:29:57.475: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 4
  Jul 29 16:30:30.478: [fh_smtp_debug_cmd]
  Jul 29 16:30:30.479: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 5
  Jul 29 16:31:00.482: %HA_EM-6-LOG: vpn_failure.tcl: smtp_send_email: error connecting to mail server:
  cannot connect to all the candidate mail servers
  Jul 29 16:31:00.483: %HA_EM-6-LOG: vpn_failure.tcl: vpn_failure.tcl script completed
  event manager environment _email_server 10.79.1.126
  event manager environment _email_from [email protected]
  event manager environment _email_to [email protected]
  interface Port-channel1.101
  description MGMT-1
  encapsulation dot1Q 101
  vrf forwarding MGMT-1
  ip address 10.79.1.252 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  redundancy rii 101
  redundancy group 2 ip 10.79.1.254 exclusive decrement 10
  end
  #----------------------- send mail ----------------------
  # create mail form
    action_syslog msg "Creating mail header for vpn_failure.tcl script..."
    set body [format "Mailservername: %s" "$_email_server"]
    set body [format "%s\nFrom: %s" "$body" "$_email_from"]
    set body [format "%s\nTo: %s" "$body" "$_email_to"]
    set _email_cc ""
    set body [format "%s\nCc: %s" "$body" "[email protected]"]
    set body [format "%s\nSourceintf: %s" "$body" "port-channel1.101"]
    set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
    set body [format "%s\n%s" "$body" "Report Summary:"]
    set body [format "%s\n%s" "$body" "   - syslog message"]
    set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
    set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
    set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
    set body [format "%s\n%s" "$body" "   - show crypto session detail"]
    set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
    set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
    set body [format "%s\n%s" "$body" "   - show log"]
    set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
    set body [format "%s\n%s" "$body" "$syslog_msg"]
    set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
    set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_route"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
    set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
    set body [format "%s\n\n%s" "$body" "$show_log"]
    if [catch {smtp_send_email $body} result] {
      action_syslog msg "smtp_send_email: $result"
    action_syslog msg "vpn_failure.tcl script completed"
  #------------------ end of send mail --------------------

• CallManager Express TCL Script issue

  Hi, I'm having issues trying to get an AA script working on a CME 4.0 system. What I want to do is quite simple, i just want to play a message to callers and that's it.
  When I dial the pilot, the call just drops and I get the following error when debugging "voip application script"
  Jul 25 17:16:22.470: //381//TCL :/tcl_PutsObjCmd: TCL AA: +++ B-ACD-SERVICE not registered, Starting B-ACD-SERVICE +++
  Jul 25 17:16:22.470: //381//AFW_:/AFW_FSM_Drive: Tcl_Eval to drive FSM inside Tcl modulespace. code=1 code=ERROR
  Jul 25 17:16:22.470: TCL script failure
  Result:
  Handoff Failed
  Jul 25 17:16:22.470: TCL script failure errorInfo:
  Handoff Failed
  while executing
  "handoff appl leg_incoming $serviceName -s $hString"
  (procedure "act_Setup" line 30)
  invoked from within
  "act_Setup"
  (procedure "act_Handoff_Activity" line 7)
  invoked from within
  "act_Handoff_Activity"
  Below is my config
  application
  service aa flash:app-b-acd-aa-2.1.0.0.tcl
  paramspace english index 1
  param number-of-hunt-grps 1
  param handoff-string aa
  paramspace english language en
  param max-time-vm-retry 3
  param aa-pilot 1050
  paramspace english location flash:
  param second-greeting-time 60
  param welcome-prompt _bacd_welcome.au
  param queue-manager-debugs 1
  param call-retry-timer 15
  param max-time-call-retry 200
  param voice-mail 8000
  param service-name aa
  dial-peer voice 1050 voip
  service aa
  destination-pattern 1050
  session target ipv4:172.27.27.10
  incoming called-number .
  dtmf-relay h245-alphanumeric
  codec g711ulaw
  no vad
  telephony-service
  load 7914 S00104000100
  load ATA ATA030100SCCP040211A
  load 7920 cmterm_7920.4.0-02-00
  load 7971 TERM70.6-0-3SR1S
  load 7970 TERM70.6-0-3SR1S
  load 7912 CP7912080001SCCP051117A
  max-ephones 240
  max-dn 480
  ip source-address 172.27.27.10 port 2000
  timeouts interdigit 5
  system message Galaxia - VSAT Activated
  sdspfarm units 1
  sdspfarm transcode sessions 2
  sdspfarm tag 1 mtp0018185bf860
  cnf-file perphone
  network-locale IT
  time-zone 23
  time-format 24
  date-format dd-mm-yy
  max-conferences 8 gain -6
  call-park system redirect
  call-forward pattern .T
  moh music-on-hold.au
  multicast moh 239.x.1.30 port 2123
  web admin system name admin password btin3t
  dn-webedit
  time-webedit
  transfer-system full-consult
  secondary-dialtone 9
  create cnf-files version-stamp 7960 Jul 25 2006 14:09:58
  We do not have CUE.
  Any help would be appreciated.
  Thanks
  Glyn

  In reference to this part of your config:
  If you are using a hunt group, you need the following param:
  param aa-hunt1
  I would also try using a loopback addres in your voip dial peer, rather than the H.323 physical IP addres of your router.
  here is the link with an example config:
  http://www.cisco.com/en/US/partner/products/sw/voicesw/ps4625/products_configuration_guide_chapter09186a00805f2305.html#wp1012136

• TCL script help needed on Nexus7000 !

  Does anyone know how to create a TCL script on Nexus7000 switch for following scenario ? Need urgent help here.. :-
  Here is what I am trying to do :-
  1. Whenever following log on "show log log" prints out :-
  testnexus7000 %PIXM-2-PIXM_SYSLOG_MESSAGE_TYPE_CRIT:
  2. Print out the output of show system internal pixm errors
  And look for following line :-
  [102] pixm_send_msg_mcast(1208): MTS Send to LC X failed >> where X is 0 based
  and this error can occur multiple times for different LCs too.
  4. Reload line card (s) X and syslog " task done"
  Regards
  Vijaya

  Hi,
  Vijaya I found same post on support cisco forums So people helped someone in same question !!!!!!
  Please read it ....
  https://supportforums.cisco.com/thread/2128886
  Yes plus if u can help me in ......Cisco ASA same security problem than that will be good for me .....I will contact u and will be great help for me if u help
  Hope that link help u .....
  Bye,

• OMBPlus TCL-script in OWB Designer at startup?

  Is there a way to run a OMBPlus script in OWB Designer automatically at startup?
  What I would like is a small tcl script that just contains a procedure like:
  proc run_script {} {
  source "I://OMB//SCRIPTS//2009//DEPLOY//START_DEPLOY.tcl"
  Then the users can just access the OMBplus part of the screen and type
  OMB> run_script
  (This instead of typing the entire source command...)
  Is this possible? To automatically run a small script at startup?

  Hi,
  Is this possible? To automatically run a small script at startup?OMBPlus is a Tcl/Java based (Jacl) TCL interpreter and it support auto_load mechanism (with auto_path variable and tclIndexfile).
  And please note that this mechanism doesn't work if you start OWB from Windows Start menu (use OWBHOME\owb\bin\win32\owbclient.bat instead).
  1) place your small tcl script into directory (for example into c:\tcl_autostart and name of your script small_script.tcl)
  2) Modify setowbenv.bat file (in OWBHOME\owb\bin\win32 directory) - add line
  SET TCLLIBPATH="C:/tcl_autostart"3) create in c:\tcl_autostart directory file tclIndex (without any file extension!) with contents (the first line must be exact I specify, because TCL interpreter check it before processing tclIndex)
  # Tcl autoload index file, version 2.0
  set auto_index(run_script) \[list source \[file join $dir small_script.tcl\]\]Now start OMBPlus (with OMBPlus.bat) or OWB (with owbclient.bat) - and you have new command run_script
  Tested on OWB 10.2.0.3
  Regards,
  Oleg
  Edited by: Oleg on 29/1/2010 15:33 correct contents of tclIndex

• Cisco OnRamp.tcl script - maximum fax size(s)

  Hi all!
  For the last several years I've been deploying Cisco's CME solution, and occasionally I've included the OnRamp .tcl script for receiving faxes, converting to .tif files, and forwarding to an email address.
  Lately I've had a customer query regarding max size of faxes that can be supported.  To wit, they are trying to send a 48 page fax, and in their email inbox they only get the first page.  They've tested fax to fax and all works well.
  Does anyone know of any sizing limitations, or tweaks I can make to either dial-peers, or hardware, or perhaps the script itself to support any size fax?
  Thanks in advance for any help or information.
  Kevin

  I tried to configure T37 onramp/offramp fax in my network but after several attempts I failed to apply it completely and just portion of that worked well. despite describing the scenario in many forums (like here), I got nothing!
  anyway, I'm going to test it in a simple form. I mean, I want to connect my edge router to PSTN line via an FXO port and via ethernet to internal network. my internal network has many physical fax machines that have gotten their internal tel numbers (like 866, 867, ...) from PBX . so can I use this scenario to configure the router to support these fax machine, or I should connect fax machines directly to router through FXS ports? tnx. 

• Problem with TCl script

                     Hello I need help, my Cisco Router (2921) work not correct with tcl script.
  Tcl script work fine on this device long time, but in one time script was not start get error(no any script changes):
  005495: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl: Unknown error 2620
  005496: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:     while executing
  005497: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl: "close $myfileid"
  005498: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:     invoked from within
  005499: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl: "$slave eval $Contents"
  005500: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:     (procedure "eval_script" line 7)
  005501: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:     invoked from within
  005502: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl: "eval_script slave $scriptname"
  005503: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:     invoked from within
  005504: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl: "if {$security_level == 1} {       #untrusted script
  005505: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:      interp create -safe slave
  005506: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:      interp share {} stdin slave
  005507: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:      interp share {} stdout slave
  005508: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl: ..."
  005509: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
  005510: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl: Tcl policy execute failed:
  005511: Aug 26 08:46:27: %HA_EM-6-LOG: event.tcl: Unknown error 2620
  If I try do command it not help:
  no event manager policy event.tcl
  event manager policy event.tcl
  I try reload script in router, and every time then script was start, some part of script file was deleted (it very intrusting, because i think script in flash only read (not write))
  Only reload help, auto reload script work fine.
  Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M6, RELEASE SOFTWARE (fc2)

  hello Joseph, this TCL script work long time with out any problem and with out any changes.
  On this device I change configuration (add two EEM aplet with event tag syslog pattern) auto this modification i have problem. May be I try do all my configuration on TCL script.
  I add EMM (it work with out any problem): 
  event manager applet RESET-3G-S
  event tag 1.0 syslog pattern "%TRACKING-5-STATE: 2 ip sla 2 reachability Up->Down"
  event manager applet 3G-EEM-STOP
  event tag 1.0 syslog pattern "%TRACKING-5-STATE: 2 ip sla 2 reachability Down->Up"
  My scipt have syslog patern:
  ::cisco::eem::event_register_syslog tag 1 pattern ".*SEC_LOGIN-4-LOGIN_FAILED: Login failed.*" occurs 1 maxrun 50
  ::cisco::eem::event_register_syslog tag 2 pattern ".*%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success*" occurs 1
  ::cisco::eem::event_register_syslog tag 3 pattern ".*%SYS-5-RESTART.*" occurs 1
  ::cisco::eem::trigger {
  ::cisco::eem::correlate event 1 or event 2 or event 3
  ::cisco::eem::attribute tag 1 occurs 1
  ::cisco::eem::attribute tag 2 occurs 1
  ::cisco::eem::attribute tag 3 occurs 1
  Tahnk you

• Stopping EEM/TCL script

  How can I stop a pending EEM/TCL script?  I have a Catalyst 4506 version 12.2(40)SG.  The command 'event manager scheduler clear' isn't available.  The output of 'show event manager policy pending' shows:
  No.  Time of Event             Event Type          Name
  1    Wed Mar 3  09:39:31 2010  none                script: test_err.tcl
  2    Wed Mar 3  10:56:42 2010  timer watchdog      script: free_mem.tcl
  3    Wed Mar 3  11:43:19 2010  syslog              applet: Login-Fail
  So the policies coming after the stuck policy won't run.  I've tried to un-register/re-register the policy, but it didn't help.

  If your device does not support "event manager scheduler clear" the only way to terminate a stuck, or long-running EEM policy is to reboot.

• Port based routing?

  Hi,
  My Mac connects to Internet through ADSL router, and to a PPTP-VPN host through this connection.
  And I want to FORCE all my http/https connections(that use destination port 80, 443, and perhaps some more) to use the VPN, while keep anything else go through the ADSL router directly.
  Is this possible?

  Did you find any solution?
  I'm trying to find a way to do this too.. on linux port based routing can be done with iptables. Mac OS X uses ipfw but:
  The fwd action does not change the contents of the packet at all.
  In particular, the destination address remains unmodified, so
  packets forwarded to another system will usually be rejected by
  that system unless there is a matching rule on that system to
  capture them.
  Then there is natd? I'm not sure if this can be used..
  And another one is /etc/pf.conf which has this openbsd guide but fails with "PF ERROR! No ALTQ support in kernel. ALTQ related functions disabled".

• ACE TCL Script Probe for Websphere MQ

  Have anyone written a TCL script to probe MQ from the ACE?  Our app guys are saying that a Layer 4 probe (TCP port check) is generating errors in the QManager logs because there is no data exchange, just TCP connection setup, then tear-down.
  Thought I would check here to see if anyone has written a TCL Script for this before or has any other suggestions.
  Thanks!                  

  Hi,
  What do you need to check exactly on the server?  will be an specific uri?
  Cesar R
  ANS Team

• Looking for ACE Probe TCL script specific for LDAPS

  Hello Everyone,
  I have searched the forum, and i am having difficulty finding an example of how to modify the LDAP TCL probe from port 389 to secure LDAP port 636.
  Could someone kindly point me or provide me the modified TCL script if you happen to have it.
  During my search I also found a config that someone had provided, which contained the following probe:
  probe tcp LDAPS_Probe
    port 636
  probe tcp LDAP_Probe
    port 389
  I was trying to figure out if this a modified TCL script for LDAP or modifed TCP TCL script specific for port 636.
  This is how I applied the script for LDAP port 389.
  script file 1 LDAP_PROBE
  probe scripted LDAP_PROBE_389
  interval 5
  passdetect interval 30
  receive 5
  script LDAP_PROBE
  serverfarm host SF-LDAP-389
  description SF LDAP Port 389
  predictor leastconns
  probe LDAP_PROBE_389
  rserver LDAP-RS1-389
  inservice
  I will be more than glad to provide you any additional information that you need.
  As always thanks for your input.
  Raman Azizian
  SAIC/NISN Network services

  normally you would engage a TCL developer or ciso advanced services to develop a custom script for anything other than what Cisco provides in canned scripts. If you are comfortable with tcl you can do it yourself. Here is an example of the LDAP script modified to include initiation via ssl.  default port is 389 when you implement you would specify 636.
  #!name = LDAP_PROBE
  # Description:
  #    LDAP_PROBE opens a TCP connection to an LDAP server, sends a bind request. and
  #    determines whether the bind request succeeds.  LDAP_PROBE then closes the
  #    connection with a TCP RST.
  #    If a port is specified in the "probe scripted" configuration, the script probes
  #     each suspect on that port. If no port is specified, the default LDAP port 389
  #     is used.
  # Success:
  #   The script succeeds if the server returns a bind response indicating success
  #    (status code 0x0a0100) to the bind request.
  #   The script closes the TCP connection with a RST following a successful attempt.
  # Failure:
  #   The script fails due to timeout if the response is not returned.  This
  #    includes a failure to receive ARP resolution, a failure to create a TCP connection
  #    to the port, or a failure to return a response to the LDAP bind request.
  #   The script also fails if the server bind response does not indicate success.
  #    This specific error returns the 30002 error code.
  #   The script closes any attempted TCP connection, successful or not, with a RST.
  #  PLEASE NOTE:  This script expects the server LDAP bind response to specify length
  #   in ASN.1 short definite form.  Responses using other length forms (e.g., long
  #   definite length form) will require script modification to achieve success.
  # SCRIPT version: 1.0       April 1, 2008
  # Parameters:
  #   [DEBUG]
  #      username - user login name
  #      password - password
  #      DEBUG        - optional key word 'DEBUG'. default is off
  #         Do not enable this flag while multiple probe suspects are configured for this
  #         script.
  # Example config :
  #   probe scripted USE_LDAP_PROBE
  #         script LDAP_PROBE
  #   Values configured in the "probe scripted" configuration populate the
  #   scriptprobe_env array.  These may be accessed or manipulated if desired.
  # Documentation:
  #    A detailed discussion of the use of scripts on the ACE is included in
  #       "Using Toolkit Command Language (TCL) Scripts with the ACE"
  #    in the "Load-Balancing Configuration Guide" section of the ACE documentation set.
  # Copyright (c) 2005-2008 by Cisco Systems, Inc.
  # debug procedure
  # set the EXIT_MSG environment variable to help debug
  # also print the debug message when debug flag is on
  proc ace_debug { msg } {
      global debug ip port EXIT_MSG
      set EXIT_MSG $msg
      if { [ info exists ip ] && [ info exists port ] } {
       set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
      if { [ info exists debug ] && $debug } {
       puts $EXIT_MSG
  # main
  # parse cmd line args and initialize variables
  ## set debug value
  set debug 0
  if { [ regsub -nocase "DEBUG" $argv "" argv] } {
      set debug 1
  ace_debug "initializing variable"
  set EXIT_MSG "Error config:  script LDAP_PROBE \[DEBUG\]"
  set ip $scriptprobe_env(realIP)
  set port $scriptprobe_env(realPort)
  # if port is zero the use well known ldap port 389
  if { $port == 0 } {
      set port 389
  # PROBE START
  # open connection
  ace_debug "opening socket"
  set sock [  socket -sslversion all -sslcipher RSA_WITH_RC4_128_MD5 $ip $port ]
  fconfigure $sock -buffering line -translation binary
  # send a standard anonymous bind request
  ace_debug "sending ldap bind request"
  puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
  flush $sock
  #  read string back from server
  ace_debug "receiving ldap bind result"
  set line [read $sock 14]
  binary scan $line H* res
  binary scan $line @7H6 code
  ace_debug "received $res with code $code"
  #  close connection
  ace_debug "closing socket"
  close $sock
  #  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
  if {  $code != "0a0100" } {
      ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
      exit 30002
  ## make probe success by exit with 30001
  ace_debug "probe success"
  exit 30001

• ACE probe TCL script database

  Hello everyone, okay?
  I was thinking of a possibility to use my ACE to monitor a database, in this case a MySQL database Today I use a TCP probe, monitoring the port, but I would go one step further and try to make a connection in the DATABASE.
  I would like to see the possibility of a guideline in creating a TCL script to make a simple connection to a database.
  The idea is to try to make a connection in a database, run a query / select on any table just to validate its functionality and not just checking if the port is responding.
  I do not know how complex it is or what would be my pre -requisites required, but any help would be welcome.
  I thought about using an HTTP probe to make this validation and use a web page making the connection to the database, but it ended up creating another layer and if there is any problem in web service, the database would be affected indirectly.
  Thank you. All suggestions are welcome.

  Hi Plinio,
  I cannot see any support for testing authentication, SQL queries or connections to a database that is supported directly in TCL at this time.
  Here is the TCL guide that expalains the supported commands ( there is a HTTP example probe at the bottom )
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_2_0/configuration/slb/guide/script.html
  Beyond a TCL TCP probe to the port to test the listener is running, I believe your suggestion of a HTTP TCL script is probably the most accurate way to check the integrity of the database. You could write code to set a certain response to all types of failure scenarios and on the ACE you could then use a HTTP TCL script to parse the response from the web server to identify exactly what has failed in your database and act accordingly.
  cheers,
  Chris