TcL Scripting for Cisco IOS,

Similar Messages

• Problem : tcl script for filter IPSec cosmetic log

  Hi all, I would like some advice from anyone who ever see this case. I applied tcl script for filter ipsec error log that log is cosmetic. But my site want to don't see this log from router log. I already create tcl script for filter it out. Ok script can work fine but it more work. It filter other message not just ipsec log out. I check cisco device that support script. How can I fix this problem.
  See my detail of script and ios version of router :
  script :
  # VPN_Error.tcl  This script deletes all log messages about VPN error messages
  # The script will filter by combination between facility-serverity and mnemonic      
  # Created on 05-Oct-2012.
  set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]
  set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"
  foreach msg $msgs {
      if { $msg == $fac_sev_mnem } {
      return ""
  return $::orig_msg
  ios router version :
  : c2800nm-adventerprisek9-mz.124-25f.bin
  : c2800nm-adventerprisek9-mz.124-7b.bin
  log information and configuration
  When I applied command:
  logging filter flash:VPN_Filter2.tcl
  logging buffered filtered 4096 debugging
  show log file:
  router#sh logg
  Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                  0 flushes, 0 overruns, xml disabled, filtering enabled)
      Console logging: level debugging, 18145 messages logged, xml disabled,
                       filtering disabled
      Monitor logging: level debugging, 428 messages logged, xml disabled,
                       filtering disabled
          Logging to: vty322(2)
      Buffer logging: level debugging, 0 messages logged, xml disabled,
                      filtering enabled (0 messages logged)
      Logging Exception size (4096 bytes)
      Count and timestamp logging messages: disabled
  Filter modules:
      flash:VPN_Filter2.tcl  
      Trap logging: level informational, 47011 message lines logged
          Logging to 10.145.0.25 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
          Logging to 10.247.17.41 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
          Logging to 10.247.17.45 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
                 filtering disabled
  --More--                          
  Log Buffer (4096 bytes):
  router#
  If you have some more information. Please tell me.
  Thank you for your advice

  It looks like your script has an error.  You have an extra '}'.  It should be:
  # VPN_Error.tcl  This script deletes all log messages about VPN error messages# The script will filter by combination between facility-serverity and mnemonic       # Created on 05-Oct-2012.#set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"foreach msg $msgs {    if { $msg == $fac_sev_mnem } {        return ""    } } return $::orig_msg

• Scripting for Cisco MDS

  Though I know writing Scripts for Cisco MDs switches (as I don't rely on FM/DM GUI), I am wondering how to include comments in a script for better readability. Would appreciate if anyone could point me to the direction where it is been documented or how to do it.
  Thanks
  Mohan

  With regards to your questions:
  1- No, you must create the script externally to the MDS as specified in the doc listed below.
  http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/1_3_1/sw_confg/cnfig.pdf
  You can however create a cron job on a host and login to the MDS via SSH providing Passwordless access to run a script. Let me know if this is something you would like to pursue.
  2- Yes, this is a feature in version 2.0(1b) which was released recently to Cisco.com, look under "Command Scheduler" in the following link.
  http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/2_0/ol624901.htm

• Using EEM and TCL scripts for voice

  HI all,
  I'd like to use eem to check Sip dial-peer status+interface BRI status, when sip dial-peer has no answer to invite and bri interface is down the LAN interface must be shutted down. Is it possible to avhieve it using eem? I didn't find anything for eem monitoring sip dial-peers...
  thanks
  Massimiliano

  EEM doesn't have any ability to control the data plane currently.  Therefore, there is no direct voice tie-in.  There is a way to do Tcl scripting of some voice operations (e.g. IVR scripts), but those do not relate to EEM.
  That said, if there are some show commands which provide you the data you need, you can create an EEM timer policy (i.e. one that runs periodically), parsers the show command output, and takes further action if the output contains certain patterns.  Depending on the version of IOS, this may require an EEM Tcl script, or you may be able to do it within an EEM applet.
  If you need further assistance, you will need to provide your IOS version, and the exact commands (and output) which would tell you if the SIP peer isn't getting an answer and the BRI interface is truly down (I'm imagining something like "show isdn status" for this one).
  Please support CSC Helps Haiti
  https://supportforums.cisco.com/docs/DOC-8895
  https://supportforums.cisco.com

• Setting the source-interface in a tcl script for email.

  So once again I am trying to figure this out and failing miserably. The only thin I can think of at the moment is that I need to tell it to source from a specific vrf interface. I've tried looking through possible enviornment variables. Hoping I could set it that way but have yet to find one. I have read varios settings for source-interface and attempted them. But fail every time with:
  vpn_failure.tcl: smtp_send_email: error connecting to mail server:
  EEM Version:
  sho event manager version
  Embedded Event Manager Version 4.00
  Component Versions:
  eem: (rel4)1.0.4
  eem-gold: (rel1)1.0.2
  eem-call-home: (rel2)1.0.0
  Below is the stock format for sending the email from the script. If someone could guide me in the correct way to set this up to source the interface that would be awesome.
  # create mail form
    action_syslog msg "Creating mail header for vpn_failure.tcl script..."
    set body [format "Mailservername: %s" "$_email_server"]
    set body [format "%s\nFrom: %s" "$body" "$_email_from"]
    set body [format "%s\nTo: %s" "$body" "$_email_to"]
    set _email_cc ""
    set body [format "%s\nCc: %s" "$body" ""]
    set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
    set body [format "%s\n%s" "$body" "Report Summary:"]
    set body [format "%s\n%s" "$body" "   - syslog message"]
    set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
    set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
    set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
    set body [format "%s\n%s" "$body" "   - show crypto session detail"]
    set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
    set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
    set body [format "%s\n%s" "$body" "   - show log"]
    set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
    set body [format "%s\n%s" "$body" "$syslog_msg"]
    set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
    set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_route"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
    set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
    set body [format "%s\n\n%s" "$body" "$show_log"]
    if [catch {smtp_send_email $body} result] {
      action_syslog msg "smtp_send_email: $result"

  I got this far, saw the MAXRUN error, bumped that out and then turned on debugging. I am still not connecting to the mail server. So I don't think I am reaching the mail server yet. I don't think it is using the sourceinterface. In debugging everyting in the script works except for the mail portion.
  Jul 29 16:01:00.334: %HA_EM-6-LOG: vpn_failure.tcl: Creating mail header for vpn_failure.tcl script...
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     while executing
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "action_syslog msg "smtp_send_email: $result""
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "$slave eval $Contents"
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (procedure "eval_script" line 7)
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "eval_script slave $scriptname"
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "if {$security_level == 1} {       #untrusted script
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp create -safe slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdin slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdout slave
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: ..."
  Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
  Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Tcl policy execute failed:
  Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
  Debugging On:
  Jul 29 16:28:51.471: [fh_smtp_debug_cmd]
  Jul 29 16:28:51.472: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 2
  Jul 29 16:29:24.473: [fh_smtp_debug_cmd]
  Jul 29 16:29:24.473: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 3
  Jul 29 16:29:57.475: [fh_smtp_debug_cmd]
  Jul 29 16:29:57.475: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 4
  Jul 29 16:30:30.478: [fh_smtp_debug_cmd]
  Jul 29 16:30:30.479: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 5
  Jul 29 16:31:00.482: %HA_EM-6-LOG: vpn_failure.tcl: smtp_send_email: error connecting to mail server:
  cannot connect to all the candidate mail servers
  Jul 29 16:31:00.483: %HA_EM-6-LOG: vpn_failure.tcl: vpn_failure.tcl script completed
  event manager environment _email_server 10.79.1.126
  event manager environment _email_from [email protected]
  event manager environment _email_to [email protected]
  interface Port-channel1.101
  description MGMT-1
  encapsulation dot1Q 101
  vrf forwarding MGMT-1
  ip address 10.79.1.252 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  redundancy rii 101
  redundancy group 2 ip 10.79.1.254 exclusive decrement 10
  end
  #----------------------- send mail ----------------------
  # create mail form
    action_syslog msg "Creating mail header for vpn_failure.tcl script..."
    set body [format "Mailservername: %s" "$_email_server"]
    set body [format "%s\nFrom: %s" "$body" "$_email_from"]
    set body [format "%s\nTo: %s" "$body" "$_email_to"]
    set _email_cc ""
    set body [format "%s\nCc: %s" "$body" "[email protected]"]
    set body [format "%s\nSourceintf: %s" "$body" "port-channel1.101"]
    set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
    set body [format "%s\n%s" "$body" "Report Summary:"]
    set body [format "%s\n%s" "$body" "   - syslog message"]
    set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
    set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
    set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
    set body [format "%s\n%s" "$body" "   - show crypto session detail"]
    set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
    set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
    set body [format "%s\n%s" "$body" "   - show log"]
    set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
    set body [format "%s\n%s" "$body" "$syslog_msg"]
    set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
    set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_route"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
    set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
    set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
    set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
    set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
    set body [format "%s\n\n%s" "$body" "$show_log"]
    if [catch {smtp_send_email $body} result] {
      action_syslog msg "smtp_send_email: $result"
    action_syslog msg "vpn_failure.tcl script completed"
  #------------------ end of send mail --------------------

• Cisco Aironet Conversion Tool Version 2.1 for Cisco IOS Software

  I am trying to convert a LWAP to Cisco IOS and the tool wants to know the Admin Name*? This is a factory radio sent to me as LWAP. I cannot seem to find out what the Admin Name is, I have tried Admin and Cisco not sure what else to try.

  Hi Brian,
  That tool is used for the IOS to LWAPP upgrade only. The AP can be converted back to Autonomous (IOS) using the following method;
  Reverting the Access Point Back to Autonomous Mode
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
  You can convert an access point from lightweight mode back to autonomous mode by loading a Cisco IOS Release that supports autonomous mode (Cisco IOS release 12.3(7)JA or earlier). If the access point is associated to a controller, you can use the controller to load the Cisco IOS release. If the access point is not associated to a controller, you can load the Cisco IOS release using TFTP.
  Using a TFTP Server to Return to a Previous Release
  Follow these steps to revert from LWAPP mode to autonomous mode by loading a Cisco IOS release using a TFTP server:
  Step 1 The static IP address of the PC on which your TFTP server software runs should be between 10.0.0.2 and 10.0.0.30.
  Step 2 Make sure that the PC contains the access point image file (such as c1200-k9w7-tar.122-15.JA.tar for a 1200 series access point) in the TFTP server folder and that the TFTP server is activated.
  Step 3 Rename the access point image file in the TFTP server folder to c1200-k9w7-tar.default for a 1200 series access point, c1130-k9w7-tar.default for an 1130 series access point, and c1240-k9w7-tar.default for a 1240 series access point.
  Step 4 Connect the PC to the access point using a Category 5 (CAT5) Ethernet cable.
  Step 5 Disconnect power from the access point.
  Step 6 Press and hold MODE while you reconnect power to the access point.
  Step 7 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds) and then release.
  Step 8 Wait until the access point reboots, as indicated by all LEDs turning green followed by the Status LED blinking green.
  Step 9 After the access point reboots, reconfigure it using the GUI or the CLI.
  From this doc;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00804fc3dc.html#wp161272
  Hope this helps!
  Rob

• Tcl scripting for snmp

  I am trying to make a script that will give me the uptime of the router and send it to a database. The problem I have, the part of the script that doesn't work, work if I execute it from the tclshell on the router.
  tcl
  set value [snmp_getone public 1.3.6.1.2.1.1.3.0]
  regexp {oid='(.*)'.*val='(.*)'} $value ignore oid _snmp_result
  set _snmp_result [expr $_snmp_result]
  Has you can see, it work well and give me the information I want.
  router#tclsh
  router(tcl)#set value [snmp_getone public 1.3.6.1.2.1.1.3.0]
  {<obj oid='sysUpTime.0' val='1810190'/>}
  stnley600(tcl)#regexp {oid='(.*)'.*val='(.*)'} $value ignore oid _snmp_result
  1
  router(tcl)#set _snmp_result [expr $_snmp_result]
  1810190
  But if I execute from a tcl file I have an error that tell me it didn't recognize the command snmp_getone
  router#event manager run routeruptime.tcl
  invalid command name "snmp_getone"
      while executing
  "snmp_getone public 1.3.6.1.2.1.1.3.0"
      invoked from within
  "$slave eval $Contents"
      (procedure "eval_script" line 7)
      invoked from within
  "eval_script slave $scriptname"
      invoked from within
  "if {$security_level == 1} {       #untrusted script
       interp create -safe slave
       interp share {} stdin slave
       interp share {} stdout slave
      (file "tmpsys:/lib/tcl/base.tcl" line 50)
  Tcl policy execute failed: invalid command name "snmp_getone"
  I am wondering if I need to import something else. Right now, all I have is this
  ::cisco::eem::event_register_none
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  I am not a pro in tcl scripting so your help would be very appreciated.
  Thanks

  You are mixing tclsh code with EEM Tcl code.  The snmp_* commands are not available in EEM Tcl.  If you want to get SNMP data in an EEM Tcl policy, you need to use the sys_reqinfo_snmp command.  In your example, this code should work:
  array set snmp_res [sys_reqinfo_snmp oid 1.3.6.1.2.1.1.3.0 get_type exact]set snmp_val $snmp_res(value)action_syslog msg "Uptime is $snmp_val timeticks"

• Signing byte-encoded TCL script for EEM

  Good day,
  I am trying to figure out how to sign a TCL script which is distributed in byte-encoded form.
  The byte coding is performed with TCL pro (http://sourceforge.net/projects/tclpro/files/TclPro-1.4.1/)
  Any pointers on how to do it will be much appreciated.
  Regards,
  Alexei

  EEM 3.4 should support third party signing of Tcl policies.  As to whether or not byte-code compiled policies will be supported is uncertain.  However, you should be able to sign a byte-code compiled Tcl script (regular Tcl script, and not EEM policy) by putting the signature after the closing tbcload '}'.  I assume the same thing will eventually be doable with EEM.

• Where is PSIRT lookup tool for cisco IOS?

  Can someone give me the link to a tool that will allow me to paste my version of IOS into and then get a listing of all known advisories/responses?
  thanks,

  I think the following link is what you may be looking for:
  http://tools.cisco.com/security/center/selectIOSVersion.x

• Need help for writing script for Cisco GSS

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  We would like to know if running script from DB server it can activate and suspend of answer group instances

  Definitely the wrong forum.
  The forum you arre looking for can be found here:
  http://forum.keithley.com

• Cisco OnRamp.tcl script - maximum fax size(s)

  Hi all!
  For the last several years I've been deploying Cisco's CME solution, and occasionally I've included the OnRamp .tcl script for receiving faxes, converting to .tif files, and forwarding to an email address.
  Lately I've had a customer query regarding max size of faxes that can be supported.  To wit, they are trying to send a 48 page fax, and in their email inbox they only get the first page.  They've tested fax to fax and all works well.
  Does anyone know of any sizing limitations, or tweaks I can make to either dial-peers, or hardware, or perhaps the script itself to support any size fax?
  Thanks in advance for any help or information.
  Kevin

  I tried to configure T37 onramp/offramp fax in my network but after several attempts I failed to apply it completely and just portion of that worked well. despite describing the scenario in many forums (like here), I got nothing!
  anyway, I'm going to test it in a simple form. I mean, I want to connect my edge router to PSTN line via an FXO port and via ethernet to internal network. my internal network has many physical fax machines that have gotten their internal tel numbers (like 866, 867, ...) from PBX . so can I use this scenario to configure the router to support these fax machine, or I should connect fax machines directly to router through FXS ports? tnx. 

• Looking for ACE Probe TCL script specific for LDAPS

  Hello Everyone,
  I have searched the forum, and i am having difficulty finding an example of how to modify the LDAP TCL probe from port 389 to secure LDAP port 636.
  Could someone kindly point me or provide me the modified TCL script if you happen to have it.
  During my search I also found a config that someone had provided, which contained the following probe:
  probe tcp LDAPS_Probe
    port 636
  probe tcp LDAP_Probe
    port 389
  I was trying to figure out if this a modified TCL script for LDAP or modifed TCP TCL script specific for port 636.
  This is how I applied the script for LDAP port 389.
  script file 1 LDAP_PROBE
  probe scripted LDAP_PROBE_389
  interval 5
  passdetect interval 30
  receive 5
  script LDAP_PROBE
  serverfarm host SF-LDAP-389
  description SF LDAP Port 389
  predictor leastconns
  probe LDAP_PROBE_389
  rserver LDAP-RS1-389
  inservice
  I will be more than glad to provide you any additional information that you need.
  As always thanks for your input.
  Raman Azizian
  SAIC/NISN Network services

  normally you would engage a TCL developer or ciso advanced services to develop a custom script for anything other than what Cisco provides in canned scripts. If you are comfortable with tcl you can do it yourself. Here is an example of the LDAP script modified to include initiation via ssl.  default port is 389 when you implement you would specify 636.
  #!name = LDAP_PROBE
  # Description:
  #    LDAP_PROBE opens a TCP connection to an LDAP server, sends a bind request. and
  #    determines whether the bind request succeeds.  LDAP_PROBE then closes the
  #    connection with a TCP RST.
  #    If a port is specified in the "probe scripted" configuration, the script probes
  #     each suspect on that port. If no port is specified, the default LDAP port 389
  #     is used.
  # Success:
  #   The script succeeds if the server returns a bind response indicating success
  #    (status code 0x0a0100) to the bind request.
  #   The script closes the TCP connection with a RST following a successful attempt.
  # Failure:
  #   The script fails due to timeout if the response is not returned.  This
  #    includes a failure to receive ARP resolution, a failure to create a TCP connection
  #    to the port, or a failure to return a response to the LDAP bind request.
  #   The script also fails if the server bind response does not indicate success.
  #    This specific error returns the 30002 error code.
  #   The script closes any attempted TCP connection, successful or not, with a RST.
  #  PLEASE NOTE:  This script expects the server LDAP bind response to specify length
  #   in ASN.1 short definite form.  Responses using other length forms (e.g., long
  #   definite length form) will require script modification to achieve success.
  # SCRIPT version: 1.0       April 1, 2008
  # Parameters:
  #   [DEBUG]
  #      username - user login name
  #      password - password
  #      DEBUG        - optional key word 'DEBUG'. default is off
  #         Do not enable this flag while multiple probe suspects are configured for this
  #         script.
  # Example config :
  #   probe scripted USE_LDAP_PROBE
  #         script LDAP_PROBE
  #   Values configured in the "probe scripted" configuration populate the
  #   scriptprobe_env array.  These may be accessed or manipulated if desired.
  # Documentation:
  #    A detailed discussion of the use of scripts on the ACE is included in
  #       "Using Toolkit Command Language (TCL) Scripts with the ACE"
  #    in the "Load-Balancing Configuration Guide" section of the ACE documentation set.
  # Copyright (c) 2005-2008 by Cisco Systems, Inc.
  # debug procedure
  # set the EXIT_MSG environment variable to help debug
  # also print the debug message when debug flag is on
  proc ace_debug { msg } {
      global debug ip port EXIT_MSG
      set EXIT_MSG $msg
      if { [ info exists ip ] && [ info exists port ] } {
       set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
      if { [ info exists debug ] && $debug } {
       puts $EXIT_MSG
  # main
  # parse cmd line args and initialize variables
  ## set debug value
  set debug 0
  if { [ regsub -nocase "DEBUG" $argv "" argv] } {
      set debug 1
  ace_debug "initializing variable"
  set EXIT_MSG "Error config:  script LDAP_PROBE \[DEBUG\]"
  set ip $scriptprobe_env(realIP)
  set port $scriptprobe_env(realPort)
  # if port is zero the use well known ldap port 389
  if { $port == 0 } {
      set port 389
  # PROBE START
  # open connection
  ace_debug "opening socket"
  set sock [  socket -sslversion all -sslcipher RSA_WITH_RC4_128_MD5 $ip $port ]
  fconfigure $sock -buffering line -translation binary
  # send a standard anonymous bind request
  ace_debug "sending ldap bind request"
  puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
  flush $sock
  #  read string back from server
  ace_debug "receiving ldap bind result"
  set line [read $sock 14]
  binary scan $line H* res
  binary scan $line @7H6 code
  ace_debug "received $res with code $code"
  #  close connection
  ace_debug "closing socket"
  close $sock
  #  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
  if {  $code != "0a0100" } {
      ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
      exit 30002
  ## make probe success by exit with 30001
  ace_debug "probe success"
  exit 30001

• ACE TCL Script Probe for Websphere MQ

  Have anyone written a TCL script to probe MQ from the ACE?  Our app guys are saying that a Layer 4 probe (TCP port check) is generating errors in the QManager logs because there is no data exchange, just TCP connection setup, then tear-down.
  Thought I would check here to see if anyone has written a TCL Script for this before or has any other suggestions.
  Thanks!                  

  Hi,
  What do you need to check exactly on the server?  will be an specific uri?
  Cesar R
  ANS Team

• TCL scripting

  st1\:*{behavior:url(#ieooui) }
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Network Scenario:
  We have a Client-Server enterprise network, and nature of servers is to broadcast some stats/info to all the clients.
  We are using two 6509-E at core with HSRP to provide the redundancy for servers. I have attached the network layout (not the real one) with some description with this thread. On both switches we have configured “ip helper-addresses” to forward the broadcast to multiple destinations(different VLANs). Every thing is working fine with respect to HSRP.
  Problem:
  Under normal circumstances, both ACTIVE and STANDBY hsrp switches generates broadcast which causing duplication of every broadcast packet and Client end receiving every packet twice. Cisco already claimed that standby switch will forward the broadcast. As an alternate TAC has advised to use the TCL script as a work around which we attempted to however no success at the end.
  Please let me know if some one can help me in modifying TCL script.
  ::cisco::eem::event_register_syslog occurs 1 pattern .*STANDBY.*STATECHANGE.* maxrun 90
  # EEM policy used to detect an HSRP state change. Once change is detected, analize the
  # type of change and modify the configuration about helper address.
  # The script looks for the DHCP server ip address in dhcp_server environment variable
  # and adds or removes the command 'ip helper-address dhcp_server' to the interface on
  # which HSRP status has changed.
  # April 2006, Cisco Europe & Emerging TME Team
  # Copyright (c) 2006 by cisco Systems, Inc.
  # All rights reserved.
  ### The script uses the following environment variables:
  #   $dhcp_server - ip address of the DCHP server in four octect dotted notation
  # 1. check if all the env variables we need exist and if not abort
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  if {![info exists dhcp_server]} {
      set result "EEM Policy Error: variable dhcp_server has not been set"
      error $result $errorInfo
  # 2. Local procedure for CLI show commands
  # Pass a list of cli commands and it returns a list of outputs
  proc CLICmdProc {cmds} {
      if [catch {cli_open} result] {
          error $result $errorInfo
      } else {
          array set cli1 $result
      if [catch {cli_exec $cli1(fd) "enable"} result] {
          error $result $errorInfo
      foreach a_cmd $cmds {
          if [catch {cli_exec $cli1(fd) $a_cmd} result] {
              error $result $errorInfo
          } else {
              lappend cmd_output $result
      if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
          error $result $errorInfo
      return $cmd_output
  # 3. Local procedure for CLI configuration commands
  # Pass a list of cli commands
  proc CLICfgProc {cmds} {
      if [catch {cli_open} result] {
          error $result $errorInfo
      } else {
          array set cli1 $result
      if [catch {cli_exec $cli1(fd) "enable"} result] {
          error $result $errorInfo
      if [catch {cli_exec $cli1(fd) "config terminal"} result] {
          error $result $errorInfo
      foreach a_cmd $cmds {
          if [catch {cli_exec $cli1(fd) $a_cmd} result] {
              error $result $errorInfo
          } else {
              set cmd_output $result
      if [catch {cli_exec $cli1(fd) "end"} result] {
          error $result $errorInfo
      if [catch {cli_exec $cli1(fd) "write mem"} result] {
          error $result $errorInfo
      if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
          error $result $errorInfo
  # 4. query the information of latest triggered eem event
  array set arr_einfo [event_reqinfo]
  if {$_cerrno != 0} {
      set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \
          $_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
      error $result
  set msg $arr_einfo(msg)
  # 5. we save the interface which triggered the event in interface
  regexp {(Vlan[0-9]{1,4}).*-> ([A-Z,a-z]*$)} $msg result interface action
  if {$action == "Active"} {
                lappend clicmd "interface $interface"
                lappend clicmd "ip helper-address $dhcp_server"
  if {$action != "Active"} {
                lappend clicmd "interface $interface"
                lappend clicmd "no ip helper-address $dhcp_server"
  set cliout [CLICfgProc $clicmd]
  action_syslog msg "Updating the configuration of interface $interface"

  Try this version.  You will need to first set an environment variable, dhcp_servers to be a comma separated list of IP addresses (i.e. the helper addresses) to configure/unconfigure.  For example:
  event manager environment dhcp_servers 192.168.10.255,192.168.12.255,192.168.14.255

• EEM TCL script configuration issue

  Hi Experts,
  I need help with an EEM TCL script for the CRS platform that generates a SYSLOG message after the CPU reaches a threshold value and then stays over the threshold value for 15 minutes, I've already tryied several thing and the last TCL script that I tested generated the SYSLOG message when the CPU reaches the threshold but I can't seem to find any way to make it wait the 15 min over the threshold and then generate the message.
  My current script looks like this:
  ::cisco::eem::event_register_wdsysmon timewin 900 sub1 cpu_tot op ge val 70
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  array set event_details [event_reqinfo]
  action_syslog msg "sub1 is $event_details(sub1)"
  action_syslog msg "High CPU threshold value over 70%"
  puts ok
  I've tryied using the 'period' option for the 'cpu_tot' variable but the TCL script was'nt recognized and couldn't be registered, and I'm using the 'timewin' option here but it seems to be wrong as it says it's the time it has for multiple sub-events to ocurr in order for the script to execute.
  timewin
  (Optional) Time window within which all of the subevents have to occur in order for an event to be generated and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295 inclusive. MMM format must be an integer representing milliseconds between 0 and 999).
  Also, the 'period' option I believe wouldn't have worked because I understand that it referrs to the time period that the script will take to monitor the CPU:
  •1. cpu_tot [op gt|ge|eq|ne|lt|le] [val ?] [period ?]
  op
  (Optional) Comparison operator that is used to compare the collected total system CPU usage sample percentage with the specified percentage value. If true, an event is raised.
  val
  (Optional) Percentage value in which the average CPU usage during the sample period is compared.
  period
  (Optional) Time period for averaging the collection of samples and is specified in SSSSSSSSSS[.MMM] format. SSSSSSSSSS format must be an integer representing seconds between 0 and 4294967295, inclusive. MMM format must be an integer representing milliseconds between 0 and 999. If this argument is not specified, the most recent sample is used.
  As I said, I couldn't try this because the script send an error when I tried to register using the following line:
  ::cisco::eem::event_register_wdsysmon sub1 cpu_tot op ge val 70 period 900
  This is the error message that appeared:
  RP/0/RP0/CPU0:CRS(config)#event manager policy test.tcl username cisco
  RP/0/RP0/CPU0:CRS(config)#commit
  Thu Aug 29 12:35:43.569 CDT
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RP0/CPU0:CRS(config)#sh conf fail
  Thu Aug 29 12:35:52.427 CDT
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  event manager policy test.tcl username cisco persist-time 3600
  !!% Embedded Event Manager configuration: failed to retrieve intermediate registration result for policy test.tcl
  end
  Anyway, to make this work I understand that I need nested TCL scripts that do the following:
  •1. Monitor the CPU and when it reaches the threshold install another TCL policy that counts down 15 min.
  •2. If the second TCL policy reaches zero then it should generate the SYSLOG message.
  •3. Monitor the CPU while this is running and if it falls below the threshold it should stop the second TCL policy.
  I don't know how I can acomplish this so if anyone can help me with this or show me another way to do this I would really appreciate it.
  Thanks in advance for all your help!

  Neither option is likely to do what you want.  The timewin is for correlating multiple events, and period is the polling interval.  What you want is to create a timer when the CPU is first detected as being high, countdown 15 minutes, then alert you.  You can do this with a nested EEM policy.  For example, you can add the following to your existing policy:
  proc get_pol_dir { fd } {
      set res {}
      set output [cli_exec $fd "show event manager directory user policy"]
      set output [string trim $output]
      regsub -all "\r\n" $output "\n" result
      set lines [split $result "\n"]
      foreach line $lines {
          if { $line == "" } {
              continue
          if { ! [regexp {\s} $line] && ! [regexp {#$} $line] } {
              set res $line
              break
      if { $res == {} } {
          return -code error "The user policy directory has not been configured"
      return $res
  if { [catch {cli_open} result] } {
      error $result $errorInfo
  array set cli $result
  set output [cli_exec $cli(fd) "show event manager policy registered | inc tm_alert_high_cpu.tcl"]
  if { [regexp {tm_alert_high_cpu.tcl} $output] } {
      exit 0
  set poldir [get_pol_dir $cli(fd)]
  set polname "${poldir}/tm_alert_high_cpu.tcl"
  set fd [open $polname "w"]
  puts $fd "::cisco::eem::event_register_timer countdown time 900"
  puts $fd "namespace import ::cisco::eem::*"
  puts $fd "namespace import ::cisco::lib::*"
  puts $fd "action_syslog msg \"CPU has been over 70% for 15 minutes\""
  close $fd
  cli_exec $cli(fd) "config t"
  cli_exec $cli(fd) "event manager policy tm_lert_high_cpu.tcl username eem"
  cli_exec $cli(fd) "commit"
  cli_exec $cli(fd) "end"
  catch {cli_close $cli(fd) $cli(tty_id)}
  Additionally, you'll want another permanently configured policy that checks for a low CPU threshold.  Something like:
  ::cisco::eem::event_register_wdsysmon sub1 cpu_tot op le val 10
  namespace import ::cisco::eem::*
  namespace import ::cisco::lib::*
  if { [catch {cli_open} result] } {
      error $result $errorInfo
  array set cli $result
  cli_exec $cli(fd) "config t"
  cli_exec $cli(fd) "no event manager policy tm_alert_high_cpu.tcl"
  cli_exec $cli(fd) "commit"
  cli_exec $cli(fd) "end"
  catch {cli_close $cli(fd) $cli(tty_id)}