Validation TcL Script (Ping/Trace)

I am looking for a script that I can use to help simplify my validation steps when I am doing some work on my devices. I typcially have anywhere from 2 - 10 IP addresses that I need to validate against (typically less than 5 though). My common steps are to ping each of my IP addresses and then I run a traceroute to those IP's to validate they are first reachable and then second I need to validate the path that is being taken is correct before my work and then after my work. So far I have come acrosss a TcL script that I could use for Ping, but not for trace. Ideally it would be nice if I could runa single line command with each IP address and then when I press enter the script will do the rest.
a sample of what I would like to do is type:
Script name: validate
R1(tcl)#validate x.x.x.x y.y.y.y z.z.z.z
The Ping script I found is below. I don't quite like it because it is not dynamic enough for what I am looking for, and I cannot seem to make this work for trace.
R1#tclsh
R1(tcl)#foreach address {
+>(tcl)#172.12.23.2
+>(tcl)#172.12.23.3
+>(tcl)#172.12.23.4
+>(tcl)#172.12.23.6
+>(tcl)#172.12.23.7
+>(tcl)#} { ping $address
+>(tcl)#}
Thank you,
Toby

I am learning TCL too and feel I can assist in some of this for you.
The reason why you get an invalid argument is because you are using argv which only accepts arguments when you are calling a tcl script to run from a command line and you add arguments at the end to feed into the script dynamically.
eg if you save a script called pingtest.tcl into the routers flash, then after the .tcl are your arguments that argv will soak in
in otherwors "Command line arguments are stored in the list named 'argv"
pingtest.tcl 192.168.1.1 192.168.1.2 192.168.1.3 etc etc
I would recommend for now just turning it into a proc which you can use in the interactive tcl shell on the router. After you do that then you can branch off into saving it into flash or whatever.
To turn it into a procedure you can forget about the argv stuff and just put the ip address directly into the proc argument.
This means that when you call your proc name it will execute the procedure body using the argument in the proc.
have a go at this. To make it neater you can create a placeholder variable for all the IP's you want to validate.
What this will do is, if the ping is succesfull then it will go on to execute the traceroute.
however if the ping fails then no traceroute is executed and it goes on to the next IP in the list.
eg -
set ip "192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.11.5 192.168.12.5 192.168.1.5 192.168.1.6 184.32.33.1 192.168.1.7 192.168.1.8 192.168.1.9 192.168.1.10"
Copy this into your routers interactive shell
set ip "192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.4 192.168.11.5 192.168.12.5 192.168.1.5 192.168.1.6 184.32.33.1 192.168.1.7 192.168.1.8 192.168.1.9 192.168.1.10"
proc validate {x} {
set counter 1
puts "###########################"
puts "# Running Ping Validation #"
puts "###########################\n\n"
foreach ip_address $x {
set pings [exec ping $ip_address]
if {[regexp {!!!!} $pings]} {
puts "Analysing Ping $counter to IP - $ip_address"
puts "Ping to $ip_address - \[SUCCESSFULL\]\n\n"
puts "*****Validating path to $ip_address via traceroute*****"
traceroute $ip_address
puts \n
puts "\[COMPLETED\]\n\n"
puts -----------------------------------------------------------
puts \n\n
} else {
puts "Analysing Ping $counter to IP - $ip_address"
puts "Ping to $ip_address - \[FAIL\]\n\n"
puts -----------------------------------------------------------
incr counter
validate $ip
END
-also its worth to note the tcl traceroute command is finiky, if you use exec it most likely wont work and just hang until all 30 hops are done. (potentially ios version dependant as I have read a couple of Josephs posts on similar issues with it)
It would be easy to convert back into argv. Just replace to foreach ip_address $argv and get rid of the procedure.

Similar Messages

ACE probe TCL script database

Hello everyone, okay?
I was thinking of a possibility to use my ACE to monitor a database, in this case a MySQL database Today I use a TCP probe, monitoring the port, but I would go one step further and try to make a connection in the DATABASE.
I would like to see the possibility of a guideline in creating a TCL script to make a simple connection to a database.
The idea is to try to make a connection in a database, run a query / select on any table just to validate its functionality and not just checking if the port is responding.
I do not know how complex it is or what would be my pre -requisites required, but any help would be welcome.
I thought about using an HTTP probe to make this validation and use a web page making the connection to the database, but it ended up creating another layer and if there is any problem in web service, the database would be affected indirectly.
Thank you. All suggestions are welcome.

Hi Plinio,
I cannot see any support for testing authentication, SQL queries or connections to a database that is supported directly in TCL at this time.
Here is the TCL guide that expalains the supported commands ( there is a HTTP example probe at the bottom )
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_2_0/configuration/slb/guide/script.html
Beyond a TCL TCP probe to the port to test the listener is running, I believe your suggestion of a HTTP TCL script is probably the most accurate way to check the integrity of the database. You could write code to set a certain response to all types of failure scenarios and on the ACE you could then use a HTTP TCL script to parse the response from the web server to identify exactly what has failed in your database and act accordingly.
cheers,
Chris

EEM / Tcl Script Help Please

Hello Community,
I have been evaluating a Tcl Script posted here sometime ago, designed to help monitor track interfaces and routes, see attached.
I believe I have applied the configurations correctly, however when I test the script by shutting down interfaces nothing happens.
I'm sure its something very simple that I'm missing.
I wonder if someone could take a look at the configs and let me know what I'm doing wrong. I have also attached a diagram.
Cheers
Carlton

Joseph,
I did read again and I got it to work :-)
Cheers
On a slightly different topic, is it possible to 'track' a static ip address?
For example, I have the following tracking configured:
track 1 ip route 0.0.0.0 0.0.0.0 reachability
track 2 interface FastEthernet0/0 ip routing
track 3 interface FastEthernet0/1 ip routing
track 4 ip route 180.80.8.4 255.255.255.255 reachability
track 5 ip route 170.70.7.4 255.255.255.255 reachability
R3#show track brie
Track   Object                         Parameter        Value
1       ip route 0.0.0.0/0            reachability     Up (static)
2       interface FastEthernet0/0      ip routing       Up
3       interface FastEthernet0/1      ip routing       Up
4       ip route 180.80.8.4/32        reachability     Down (no route)
5       ip route 170.70.7.4/32        reachability     Down (no route)
However, you will see that track 4 and 5 are down. This is because, although I can ping 180.80.8.4 and 170.70.7.4 the actual ip addresses don't appear in the routing table:
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
     170.70.0.0/24 is subnetted, 1 subnets
C       170.70.7.0 is directly connected, FastEthernet0/0
     10.0.0.0/24 is subnetted, 1 subnets
C       10.1.1.0 is directly connected, FastEthernet1/0
     180.80.0.0/24 is subnetted, 1 subnets
C       180.80.8.0 is directly connected, FastEthernet0/1
     150.50.0.0/24 is subnetted, 1 subnets
C       150.50.5.0 is directly connected, Ethernet2/0
S*   0.0.0.0/0 is directly connected, FastEthernet1/0
R3#
Therefore, is there way of creating a track for /32 ip addresses?
I hope that makes sense.
Cheers

IOS-XR reachability-check TCL script

Hi there,
I'm currently playing with TCL scripts to prepare for my CCIE lab exam. The main purpose I'm gonna use them is to
check the reachability within ISP IGP domain and/or L3VPN domain.
Currently I'm facing the following issue: I'm unable to specify the source address used to run ping:
% tclsh
foreach address {
2010::2
2010::3
2010::4
2010::5
2010::6
2010::7
} { ping $address source lo0
% % Invalid parameter(s)
child process exited abnormally
Can somebody kindly help me out to modify the script so that ping is sourced from conifgured interface?
Thanks in advance

try this. Note, you have to set your source address:
set loop0 2010::1
foreach address {
2010::2
2010::3
2010::4
2010::5
2010::6
2010::7
} { ping6 -S $loop0 $address
Regards,
/A

Problem with signed tcl scripts

Hi All,
Im having some difficulties getting signed scripts to work on a router.
Ive got openssl 0.9.8h installed on a FreeBSD 6.2 box, and following the documentation located below, word for word, I cant seem to get any scripts to run properly. The router just seems to continually fail to verify the digital signature.
http://www.cisco.com/en/US/docs/ios/12_4t/netmgmt/configuration/guide/sign_tcl.html#wp1079441
When trying to run a script I usually end up with the following error messages:
Invalid Signature
May 10 04:54:30.845: ../cert-c/source/p7spprt.c(614) : E_VERIFY_ASN_SIGNATURE : error verifying digital signature
May 10 04:54:30.849: CRYPTO_PKI: status = 0x725(E_VERIFY_ASN_SIGNATURE : error verifying digital signature): pkcs7 verify data returned status
May 10 04:54:30.849: CRYPTO_PKI: status = 0x725(E_VERIFY_ASN_SIGNATURE : error verifying digital signature): failed to verify
May 10 04:54:30.849: CRYPTO_PKI: unlocked trustpoint scriptsigning, refcount is 0
May 10 04:54:30.849: %SYS-6-SCRIPTING_TCL_INVALID_OR_MISSING_SIGNATURE: tcl signing validation failed on script signed with trustpoint name scriptsigning, cannot run the signed TCL script.
But when I try signing the example script in the document mentioned above it seems to work fine:
#tclsh flash:hello.tcl
hello
argc = 0
argv =
argv0 = flash:hello.tcl
tcl_interactive = 0
May 10 03:58:00.408: CRYPTO_PKI: self-signed cert within the pkcs7.
May 10 03:58:00.408: CRYPTO_PKI: Added x509 peer certificate - (1073) bytes
May 10 03:58:00.408: CRYPTO_PKI: chain received from the peer has been reduced to one already trusted cert
May 10 03:58:00.408: CRYPTO_PKI: validation path has 0 certs
May 10 03:58:00.408: CRYPTO_PKI: unable to get cert attributesfor AAA list authorization.
May 10 03:58:00.408: CRYPTO_PKI: chain cert was anchored to trustpoint scriptsigning, and chain validation result was: CRYPTO_VALID_CERT
May 10 03:58:00.412: CRYPTO_PKI: Success on PKCS7 verify!
May 10 03:58:00.412: CRYPTO_PKI: unlocked trustpoint scriptsigning, refcount is 0
In both cases I used the exact same private key and CA certificate to sign both scripts.
Does anyone have any clues, tips, or pointers for doing this successfully?
Cheers,
Tom

I found your problem. The ORIGINAL script ended in a blank line. Therefore, you need TWO lines before the signature. I took the pkcs7 file you sent, your latest cert, and then added the signature to a clean btest.tcl with a trailing newline. The result worked perfectly.
I'm attaching the signed btest.tcl along with the exact same cert and pkcs7 file you sent (I'm not attaching the private key for obvious reasons, but it is the same).
All I did was take your pkcs7 file and:
xxd -ps btest_sig.tcl.pk7 > btest.hex
(I added a newline to the top of btest.hex, added the signature header, and commented each subsequent line)
cat btest.tcl btest.hex > btest_sig.tcl
I loaded your cert into my router, then loaded the signed script:
Loading btest_sig.tcl from 14.32.100.33 (via FastEthernet0/0): !
[OK - 5618 bytes]
Bandwidth is 8434.

Executing Tcl Script from Command Prompt

Hello All
Can someone please show me how to execute a tcl script from the command prompt on a cisco router?
Cheers
Carlton

Hi,
Assume that you have tcl script to ping 3 ip address as below.
foreach address {
1.1.1.1
2.2.2.2
3.3.3.3
} {ping $address}
Use "tclsh" command and copy the script. That should do the job. Please find below example.
R1#tclsh
R1(tcl)#foreach address {
+>(tcl)#1.1.1.1
+>(tcl)#2.2.2.2
+>(tcl)#3.3.3.3
+>(tcl)#} {ping $address}
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
R1(tcl)#
Hope this helps.
Regards
Najaf
Please rate when applicable or helpful !!!

TCL scripting

st1\:*{behavior:url(#ieooui) }
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";
mso-ansi-language:#0400;
mso-fareast-language:#0400;
mso-bidi-language:#0400;}
Network Scenario:
We have a Client-Server enterprise network, and nature of servers is to broadcast some stats/info to all the clients.
We are using two 6509-E at core with HSRP to provide the redundancy for servers. I have attached the network layout (not the real one) with some description with this thread. On both switches we have configured “ip helper-addresses” to forward the broadcast to multiple destinations(different VLANs). Every thing is working fine with respect to HSRP.
Problem:
Under normal circumstances, both ACTIVE and STANDBY hsrp switches generates broadcast which causing duplication of every broadcast packet and Client end receiving every packet twice. Cisco already claimed that standby switch will forward the broadcast. As an alternate TAC has advised to use the TCL script as a work around which we attempted to however no success at the end.
Please let me know if some one can help me in modifying TCL script.
::cisco::eem::event_register_syslog occurs 1 pattern .*STANDBY.*STATECHANGE.* maxrun 90
# EEM policy used to detect an HSRP state change. Once change is detected, analize the
# type of change and modify the configuration about helper address.
# The script looks for the DHCP server ip address in dhcp_server environment variable
# and adds or removes the command 'ip helper-address dhcp_server' to the interface on
# which HSRP status has changed.
# April 2006, Cisco Europe & Emerging TME Team
# Copyright (c) 2006 by cisco Systems, Inc.
# All rights reserved.
### The script uses the following environment variables:
#   $dhcp_server - ip address of the DCHP server in four octect dotted notation
# 1. check if all the env variables we need exist and if not abort
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if {![info exists dhcp_server]} {
    set result "EEM Policy Error: variable dhcp_server has not been set"
    error $result $errorInfo
# 2. Local procedure for CLI show commands
# Pass a list of cli commands and it returns a list of outputs
proc CLICmdProc {cmds} {
    if [catch {cli_open} result] {
        error $result $errorInfo
    } else {
        array set cli1 $result
    if [catch {cli_exec $cli1(fd) "enable"} result] {
        error $result $errorInfo
    foreach a_cmd $cmds {
        if [catch {cli_exec $cli1(fd) $a_cmd} result] {
            error $result $errorInfo
        } else {
            lappend cmd_output $result
    if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
        error $result $errorInfo
    return $cmd_output
# 3. Local procedure for CLI configuration commands
# Pass a list of cli commands
proc CLICfgProc {cmds} {
    if [catch {cli_open} result] {
        error $result $errorInfo
    } else {
        array set cli1 $result
    if [catch {cli_exec $cli1(fd) "enable"} result] {
        error $result $errorInfo
    if [catch {cli_exec $cli1(fd) "config terminal"} result] {
        error $result $errorInfo
    foreach a_cmd $cmds {
        if [catch {cli_exec $cli1(fd) $a_cmd} result] {
            error $result $errorInfo
        } else {
            set cmd_output $result
    if [catch {cli_exec $cli1(fd) "end"} result] {
        error $result $errorInfo
    if [catch {cli_exec $cli1(fd) "write mem"} result] {
        error $result $errorInfo
    if [catch {cli_close $cli1(fd) $cli1(tty_id)} result] {
        error $result $errorInfo
# 4. query the information of latest triggered eem event
array set arr_einfo [event_reqinfo]
if {$_cerrno != 0} {
    set result [format "component=%s; subsys err=%s; posix err=%s;\n%s" \
        $_cerr_sub_num $_cerr_sub_err $_cerr_posix_err $_cerr_str]
    error $result
set msg $arr_einfo(msg)
# 5. we save the interface which triggered the event in interface
regexp {(Vlan[0-9]{1,4}).*-> ([A-Z,a-z]*$)} $msg result interface action
if {$action == "Active"} {
              lappend clicmd "interface $interface"
              lappend clicmd "ip helper-address $dhcp_server"
if {$action != "Active"} {
              lappend clicmd "interface $interface"
              lappend clicmd "no ip helper-address $dhcp_server"
set cliout [CLICfgProc $clicmd]
action_syslog msg "Updating the configuration of interface $interface"

Try this version. You will need to first set an environment variable, dhcp_servers to be a comma separated list of IP addresses (i.e. the helper addresses) to configure/unconfigure. For example:
event manager environment dhcp_servers 192.168.10.255,192.168.12.255,192.168.14.255

Creating a job that runs a Tcl script

Hi,
We currently have a scheduled job running a Tcl script on a 8.1.7 DB. My question is, can I still use the same setup in 10g DB (i.e. creating a job that runs Tcl script)? If I can, how am I gonna do it?
Thanks,
howie

It depends on how you scheduled the job in 8.1.7 DB.
By Cronjob? Yes you can do the same to connect to 10g
By DBMS_JOB?. Yes you can do it in 10g and in addition, can improve it with DBMS_SCHEDULER
Via OEM? Yes in can use Enterprise Manager to create a Job that runs the Script.

10.6.8 can ping /trace but no connection online

hi there i was using my macbook this morning and closed it all down and went out all day, came home powerd up my macbook pro again and none of my online services worked (dropbox, skype, google drive) then i tried to collect my email and the same, so i thought i would try the browser same..
so i fired up terminal and stated pinging the outside work (www.bbc.co.uk) i got good healthy pings back so i decided to do traceroute and that was the same, mmm i thought...
so i pinged the default gateway on my router the same all good and then the same again with the dns servers still the same ... so i disabled my wireless connection and fired up the my other dektop mac and tested that that's working fine... then i connected a ethernet cable to my macbook same thing i can ping /trace ok but i can not get and outside connection. very strange so i thought i know i will chnage the dns servers to google 8.8.8.8 and 4.4.4.4 same thing mmmm so i fired up disk utility and checked the permissions all fine... so if my other mac is working fine and this one is not ok i though i will create a new user account on the macbook and test that nope still the same.. *scatchers chin* so i opend terminal again and ran these commands "sudo killall mDNSResponder" and also this one sudo "dscacheutil -flushcache"
Nope nothing seems to work i have rebooted and ran the latest combo update to see if that repairs anything no nothing i am at a loss now, i really need my macbook working on the old back up desktop is a nightmare and i have the feeling that i will have to start backing everything up and reinstalling LONG JOB!
i would appriciate any advice or pointers that you can give me to fix this and get it working before i have to reinstall it
thanks
tim

one thing i have just tested i can copy files from my mac desktop to my macbook fine mmm!

Setting the source-interface in a tcl script for email.

So once again I am trying to figure this out and failing miserably. The only thin I can think of at the moment is that I need to tell it to source from a specific vrf interface. I've tried looking through possible enviornment variables. Hoping I could set it that way but have yet to find one. I have read varios settings for source-interface and attempted them. But fail every time with:
vpn_failure.tcl: smtp_send_email: error connecting to mail server:
EEM Version:
sho event manager version
Embedded Event Manager Version 4.00
Component Versions:
eem: (rel4)1.0.4
eem-gold: (rel1)1.0.2
eem-call-home: (rel2)1.0.0
Below is the stock format for sending the email from the script. If someone could guide me in the correct way to set this up to source the interface that would be awesome.
# create mail form
action_syslog msg "Creating mail header for vpn_failure.tcl script..."
set body [format "Mailservername: %s" "$_email_server"]
set body [format "%s\nFrom: %s" "$body" "$_email_from"]
set body [format "%s\nTo: %s" "$body" "$_email_to"]
set _email_cc ""
set body [format "%s\nCc: %s" "$body" ""]
set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
set body [format "%s\n%s" "$body" "Report Summary:"]
set body [format "%s\n%s" "$body" "   - syslog message"]
set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
set body [format "%s\n%s" "$body" "   - show crypto session detail"]
set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
set body [format "%s\n%s" "$body" "   - show log"]
set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
set body [format "%s\n%s" "$body" "$syslog_msg"]
set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_route"]
set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
set body [format "%s\n\n%s" "$body" "$show_log"]
if [catch {smtp_send_email $body} result] {
    action_syslog msg "smtp_send_email: $result"

I got this far, saw the MAXRUN error, bumped that out and then turned on debugging. I am still not connecting to the mail server. So I don't think I am reaching the mail server yet. I don't think it is using the sourceinterface. In debugging everyting in the script works except for the mail portion.
Jul 29 16:01:00.334: %HA_EM-6-LOG: vpn_failure.tcl: Creating mail header for vpn_failure.tcl script...
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     while executing
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "action_syslog msg "smtp_send_email: $result""
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "$slave eval $Contents"
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (procedure "eval_script" line 7)
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "eval_script slave $scriptname"
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     invoked from within
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: "if {$security_level == 1} {       #untrusted script
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp create -safe slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdin slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:      interp share {} stdout slave
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl: ..."
Jul 29 16:02:36.464: %HA_EM-6-LOG: vpn_failure.tcl:     (file "tmpsys:/lib/tcl/base.tcl" line 50)
Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Tcl policy execute failed:
Jul 29 16:02:36.465: %HA_EM-6-LOG: vpn_failure.tcl: Process Forced Exit- MAXRUN timer expired.
Debugging On:
Jul 29 16:28:51.471: [fh_smtp_debug_cmd]
Jul 29 16:28:51.472: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 2
Jul 29 16:29:24.473: [fh_smtp_debug_cmd]
Jul 29 16:29:24.473: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 3
Jul 29 16:29:57.475: [fh_smtp_debug_cmd]
Jul 29 16:29:57.475: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 4
Jul 29 16:30:30.478: [fh_smtp_debug_cmd]
Jul 29 16:30:30.479: %HA_EM-6-LOG: vpn_failure.tcl : DEBUG(smtp_lib) : smtp_connect : attempt 5
Jul 29 16:31:00.482: %HA_EM-6-LOG: vpn_failure.tcl: smtp_send_email: error connecting to mail server:
cannot connect to all the candidate mail servers
Jul 29 16:31:00.483: %HA_EM-6-LOG: vpn_failure.tcl: vpn_failure.tcl script completed
event manager environment _email_server 10.79.1.126
event manager environment _email_from [email protected]
event manager environment _email_to [email protected]
interface Port-channel1.101
description MGMT-1
encapsulation dot1Q 101
vrf forwarding MGMT-1
ip address 10.79.1.252 255.255.255.0
ip nat inside
ip virtual-reassembly
redundancy rii 101
redundancy group 2 ip 10.79.1.254 exclusive decrement 10
end
#----------------------- send mail ----------------------
# create mail form
action_syslog msg "Creating mail header for vpn_failure.tcl script..."
set body [format "Mailservername: %s" "$_email_server"]
set body [format "%s\nFrom: %s" "$body" "$_email_from"]
set body [format "%s\nTo: %s" "$body" "$_email_to"]
set _email_cc ""
set body [format "%s\nCc: %s" "$body" "[email protected]"]
set body [format "%s\nSourceintf: %s" "$body" "port-channel1.101"]
set body [format "%s\nSubject: %s\n" "$body" "VPN Failure Detected: Router $routername Crypto tunnel is DOWN. Peer $remote_peer"]
set body [format "%s\n%s" "$body" "Report Summary:"]
set body [format "%s\n%s" "$body" "   - syslog message"]
set body [format "%s\n%s" "$body" "   - summary of interface(s) in an up/down state"]
set body [format "%s\n%s" "$body" "   - show ip route $remote_peer"]
set body [format "%s\n%s" "$body" "   - show crypto isakmp sa"]
set body [format "%s\n%s" "$body" "   - show crypto session detail"]
set body [format "%s\n%s" "$body" "   - show crypto engine connection active"]
set body [format "%s\n%s" "$body" "   - show ip nhrp detail (DMVPN only)"]
set body [format "%s\n%s" "$body" "   - show log"]
set body [format "%s\n\n%s" "$body" "---------- syslog message ----------"]
set body [format "%s\n%s" "$body" "$syslog_msg"]
set body [format "%s\n\n%s" "$body" "---------- summary of interface(s) in an up/down state ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_interface_brief_up_down"]
set body [format "%s\n\n%s" "$body" "---------- show ip route $remote_peer ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_route"]
set body [format "%s\n\n%s" "$body" "---------- show crypto isakmp sa ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_isakmp_sa"]
set body [format "%s\n\n%s" "$body" "---------- show crypto session detail ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_session_detail"]
set body [format "%s\n\n%s" "$body" "---------- show crypto engine connection active ----------"]
set body [format "%s\n\n%s" "$body" "$show_crypto_engine_connection_active"]
set body [format "%s\n\n%s" "$body" "---------- show ip nhrp detail (DMVPN only) ----------"]
set body [format "%s\n\n%s" "$body" "$show_ip_nhrp_detail"]
set body [format "%s\n\n%s" "$body" "---------- show log ----------"]
set body [format "%s\n\n%s" "$body" "$show_log"]
if [catch {smtp_send_email $body} result] {
    action_syslog msg "smtp_send_email: $result"
action_syslog msg "vpn_failure.tcl script completed"
#------------------ end of send mail --------------------

Reading the Facility Callername from a tcl script

I am looking for a way to read the Callingname in the facility message so that I can pass into
set callInfo(displayInfo)
Basically I'm trying to pass Callername to an ip phone through a TCL script on the gateway during callsetup. This normally gets dropped.
Is there a way to parse these fields in the Facility message?
Thanks ahead of time for any help.
Oct 14 21:59:58.274: ISDN Se0/0/0:23 Q931: RX <- FACILITY pd = 8 callref = 0x03BB
Facility i = 0x9F8B0100A117020101020100800F5452494F4E20574F524C44204E4554
Protocol Profile = Networking Extensions
0xA117020101020100800F5452494F4E20574F524C44204E4554
Component = Invoke component
Invoke Id = 1
Operation = CallingName
Name Presentation Allowed Extended
Name = MY CALLINGNAME

Well.. I'm having to alter an existing script that parsers the calls for fax service before they are being sent to callmanager.
So far I think im in the right direction but I don't know how to use the "object get gtd" properly, if that's even the right approach. Im trying to parse
GEN,y,y,0,JOE BLOW
from the gtd debug below...
Oct 15 16:32:26.543: CNG tone sent
Oct 15 2009 11:32:26 CDT: %ISDN-6-CONNECT: Interface Serial0/0/0:0 is now connected to XXXXXXXXXX N/A
Oct 15 16:32:27.231: ISDN Se0/0/0:23: Built a GTD of size 110 octets for ISDN message type 0x62
Oct 15 16:32:27.231: tsp_ccrawmsg_encap: calling cdapi_find_tsm
Oct 15 16:32:27.231: cdapi_find_tsm: Found Tunnelled Signaling Msg with GTD: PROT_PTYPE_GTD
Oct 15 16:32:27.231: cdapi_find_tsm: Found a gtd msg of length 110:
Oct 15 16:32:27.231: gtd msg = "FAC,
PRN,isdn*,,NI***,
GEN,y,y,0,JOE BLOW ï----------------Caller NAME
UFC,GEN,5,fachd,9f8b0100
UFC,GEN,5,inpdu,020101020100"
This is what I have so far...
set DestNum [infotag get evt_dcdigits]
set callInfo(destinationNum) $DestNum
infotag set evt_facility_report gtd
infotag get evt_gtd CallerID
set CallerName [object get gtd CallerID FAC,4,GEN]
set DestNum [infotag get evt_dcdigits]
put "$CallerName"
put "$DestNum"
set callInfo(displayInfo) $CallerName
set callInfo(destinationNum) $DestNum
leg setup $DestNum callInfo leg_incoming

CallManager Express TCL Script issue

Hi, I'm having issues trying to get an AA script working on a CME 4.0 system. What I want to do is quite simple, i just want to play a message to callers and that's it.
When I dial the pilot, the call just drops and I get the following error when debugging "voip application script"
Jul 25 17:16:22.470: //381//TCL :/tcl_PutsObjCmd: TCL AA: +++ B-ACD-SERVICE not registered, Starting B-ACD-SERVICE +++
Jul 25 17:16:22.470: //381//AFW_:/AFW_FSM_Drive: Tcl_Eval to drive FSM inside Tcl modulespace. code=1 code=ERROR
Jul 25 17:16:22.470: TCL script failure
Result:
Handoff Failed
Jul 25 17:16:22.470: TCL script failure errorInfo:
Handoff Failed
while executing
"handoff appl leg_incoming $serviceName -s $hString"
(procedure "act_Setup" line 30)
invoked from within
"act_Setup"
(procedure "act_Handoff_Activity" line 7)
invoked from within
"act_Handoff_Activity"
Below is my config
application
service aa flash:app-b-acd-aa-2.1.0.0.tcl
paramspace english index 1
param number-of-hunt-grps 1
param handoff-string aa
paramspace english language en
param max-time-vm-retry 3
param aa-pilot 1050
paramspace english location flash:
param second-greeting-time 60
param welcome-prompt _bacd_welcome.au
param queue-manager-debugs 1
param call-retry-timer 15
param max-time-call-retry 200
param voice-mail 8000
param service-name aa
dial-peer voice 1050 voip
service aa
destination-pattern 1050
session target ipv4:172.27.27.10
incoming called-number .
dtmf-relay h245-alphanumeric
codec g711ulaw
no vad
telephony-service
load 7914 S00104000100
load ATA ATA030100SCCP040211A
load 7920 cmterm_7920.4.0-02-00
load 7971 TERM70.6-0-3SR1S
load 7970 TERM70.6-0-3SR1S
load 7912 CP7912080001SCCP051117A
max-ephones 240
max-dn 480
ip source-address 172.27.27.10 port 2000
timeouts interdigit 5
system message Galaxia - VSAT Activated
sdspfarm units 1
sdspfarm transcode sessions 2
sdspfarm tag 1 mtp0018185bf860
cnf-file perphone
network-locale IT
time-zone 23
time-format 24
date-format dd-mm-yy
max-conferences 8 gain -6
call-park system redirect
call-forward pattern .T
moh music-on-hold.au
multicast moh 239.x.1.30 port 2123
web admin system name admin password btin3t
dn-webedit
time-webedit
transfer-system full-consult
secondary-dialtone 9
create cnf-files version-stamp 7960 Jul 25 2006 14:09:58
We do not have CUE.
Any help would be appreciated.
Thanks
Glyn

In reference to this part of your config:
If you are using a hunt group, you need the following param:
param aa-hunt1
I would also try using a loopback addres in your voip dial peer, rather than the H.323 physical IP addres of your router.
here is the link with an example config:
http://www.cisco.com/en/US/partner/products/sw/voicesw/ps4625/products_configuration_guide_chapter09186a00805f2305.html#wp1012136

Tcl script to shut and no shut interface

Hi, I have problem with DMVPN I tried some configurations but any works.
The problem is that tunnel with ipsec protection does not support keepalives I have one hub and one spoke the spoke has two interfaces with dynamic ip and the hub has one interface with static ip the two devices have two tunnels gre. The spoke has track to the source and backup comand on tunnels one active and one for backup the problem is when the active tunnel is down (only protocol it is in this way coz the source is down down)the other tunnel comes up and its ok everything is working but when the tunnel active comes back the vpn does not come up until the tunnel is shutdown and not shutdown by manual way. I like to know if is possible to shut and no shut the tunnel when the source comes back with tcl script. (And if is possible that you help me to do the script).
Thanks in advance.

Ok thanks everybody jaja it`s done. Solution cryto maps on interfaces and do not put tunnel ipsec protected on the tunnel interface on the hub.
DOC. DMVPN DUAL TIER ARCHITECTURE

Use of gset in CSM TCL Script

Hello,
I am trying to write a TCL script on a CSM (Code Ver 4.1) that retains the value of a variable between probe instances (so I can increment and check a variable in each probe attempt). Looking at the documentation there is supposed to be a 'gset' command that does this but cannot make this work.
The example says 'gset var 1 ; incr var'.
I have several problems with this:
1. I would think that this would set the value of var to 1 each time it runs and then increment it (maybe)
2. How can I read the value of the persistent variable without it causing an error if it doesn't exist?
3. It doesn't seem to work anyway as var doesn't appear in the Persistent Variables section of 'show mod csm x tech script'
Any ideas on this or on where I can get some examples where the gset command is used?
Many Thanks
LP

it works for me:
I just added the gset and incr commands to the echo probe and it I do see the counter increasing.
gset counter 1
# parse cmd line args and initialize variables
puts "initializing variable 2"
set EXIT_MSG "Error config: script ECHO_PROBE "
incr counter
puts "Counter: $counter"
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 7
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:7: opening socket
ECHO_PROBE_SCRIPT:192.168.30.24:7: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.24:7: receiving response
ECHO_PROBE_SCRIPT:192.168.30.24:7: closing socket
ECHO_PROBE_SCRIPT:192.168.30.24:7: probe success
initializing variable 2
Counter: 7
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.24:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.24:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.24:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.24:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 8
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:7: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:7: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:7: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:7: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:7: probe success
initializing variable 2
Counter: 8
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 8
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:7: opening socket
ECHO_PROBE_SCRIPT:192.168.30.24:7: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.24:7: receiving response
ECHO_PROBE_SCRIPT:192.168.30.24:7: closing socket
ECHO_PROBE_SCRIPT:192.168.30.24:7: probe success
initializing variable 2
Counter: 8
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.24:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.24:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.24:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.24:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 9
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:7: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:7: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:7: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:7: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:7: probe success
initializing variable 2
Counter: 9
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.48:21: opening socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: sending resquest string
ECHO_PROBE_SCRIPT:192.168.30.48:21: receiving response
ECHO_PROBE_SCRIPT:192.168.30.48:21: closing socket
ECHO_PROBE_SCRIPT:192.168.30.48:21: probe failed : expect 'csm_test' but got '220 Welcome to Linux1 FTP service.'
initializing variable 2
Counter: 9
Script start
this is a csm echo request
ECHO_PROBE_SCRIPT:192.168.30.24:7: opening socket

Problem : tcl script for filter IPSec cosmetic log

Hi all, I would like some advice from anyone who ever see this case. I applied tcl script for filter ipsec error log that log is cosmetic. But my site want to don't see this log from router log. I already create tcl script for filter it out. Ok script can work fine but it more work. It filter other message not just ipsec log out. I check cisco device that support script. How can I fix this problem.
See my detail of script and ios version of router :
script :
# VPN_Error.tcl This script deletes all log messages about VPN error messages
# The script will filter by combination between facility-serverity and mnemonic
# Created on 05-Oct-2012.
set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]
set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"
foreach msg $msgs {
    if { $msg == $fac_sev_mnem } {
    return ""
return $::orig_msg
ios router version :
: c2800nm-adventerprisek9-mz.124-25f.bin
: c2800nm-adventerprisek9-mz.124-7b.bin
log information and configuration
When I applied command:
logging filter flash:VPN_Filter2.tcl
logging buffered filtered 4096 debugging
show log file:
router#sh logg
Syslog logging: enabled (11 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering enabled)
    Console logging: level debugging, 18145 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 428 messages logged, xml disabled,
                     filtering disabled
        Logging to: vty322(2)
    Buffer logging: level debugging, 0 messages logged, xml disabled,
                    filtering enabled (0 messages logged)
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
Filter modules:
    flash:VPN_Filter2.tcl
    Trap logging: level informational, 47011 message lines logged
        Logging to 10.145.0.25 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
        Logging to 10.247.17.41 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
        Logging to 10.247.17.45 (udp port 514, audit disabled, link up), 47011 message lines logged, xml disabled,
               filtering disabled
--More--
Log Buffer (4096 bytes):
router#
If you have some more information. Please tell me.
Thank you for your advice

It looks like your script has an error. You have an extra '}'. It should be:
# VPN_Error.tcl This script deletes all log messages about VPN error messages# The script will filter by combination between facility-serverity and mnemonic       # Created on 05-Oct-2012.#set msgs [list {CRYPTO-4-RECVD_PKT_MAC_ERR} {VPN_HW-1-PACKET_ERROR} {CRYPTO-4-RECVD_PKT_NOT_IPSEC} {CRYPTO-4-PKT_REPLAY_ERR}]set fac_sev_mnem "${::facility}-${::severity}-${::mnemonic}"foreach msg $msgs {    if { $msg == $fac_sev_mnem } {        return ""    } } return $::orig_msg

Validation TcL Script (Ping/Trace)

Similar Messages

Maybe you are looking for