Get Unlimited Access to our 786 Cisco Lessons Now Get $1 Trial
You are here: Home » Cisco » CCNP ENCOR 350-401

IP SLA and EEM Script

In our IP SLA lesson we explained how you can “measure” network performance by sending “probes” to remote devices. We also talked about EEM (Embedded Event Manager) which we can use for scripting on our IOS devices.

In this lesson we’ll take a look how to combine IP SLA and EEM. This can be useful as it allows you to perform certain actions when IP SLA reports a failure. For example, we can use this to produce custom syslog messages and send emails to the administrator.

Here’s the topology we will use:

R1 R2 Gigabit Links

We only need two routers to demonstrate this. IP SLA is configured on R1 which sends ICMP echoes to R2.

Configuration

Here’s what the IP SLA configuration looks like:

R1#show running-config | begin ip sla
ip sla 1
 icmp-echo 192.168.12.2
 frequency 10
ip sla schedule 1 life forever start-time now

It’s a simple configuration where R1 will keep sending ICMP echoes to R2 forever. To combine IP SLA with EEM, we’ll need to track it somehow. We can do this with object tracking:

R1(config)#track 1 ip sla 1 reachability

Above we created a new object that will track IP SLA 1. We can now track the status of this object with EEM:

R1(config)#event manager applet TRACK_IP_DOWN
R1(config-applet)#event track 1 state down
R1(config-applet)#action 1.0 syslog msg "IP SLA 1 is down"
R1(config-applet)#action 2.0 mail server "smtp.mailserver.local" to "support@networklessons.com" from "support@networklessons.com" subject "IP SLA 1 is down" body "IP SLA 1 is not receiving ICMP echo replies anymore"

As soon as the object goes down, EEM will perform two actions:

  • We produce a syslos message which says “IP SLA 1 is down”.
  • We send an e-mail to e-mail server “smtp.mailserver.local” using the email addresses, subject and body that I specified above.

We’ll also configure an action that will be performed when the object is up again:

R1(config)#event manager applet IP_SLA_1_UP
R1(config-applet)#event track 1 state up
R1(config-applet)#action 1.0 syslog msg "IP SLA 1 is up"

Once the object is up, we will generate a syslog message. Let’s verify our work…

Verification

To test our work we need to trigger a failure. When our IP SLA ICMP echoes are replied, the “successes” counter will increase. When we don’t get a reply to our ICMP echoes then the “failures” counter will increase:

R1#show ip sla statistics 
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
        Latest RTT: 3 milliseconds
Latest operation start time: 10:16:41 UTC Thu Feb 18 2016
Latest operation return code: OK
Number of successes: 56
Number of failures: 0
Operation time to live: Forever

The most simple way to simulate a failure is to shut one of the interfaces. You can also configure IP SLA so that it will trigger a failure when certain thresholds are exceeded (for example when the RTT exceeds a certain value).

I’ll shut one of the interfaces but before we do this, let’s enable some EEM debugging:

R1#debug event manager action cli
Debug EEM action cli debugging is on
R1#debug event manager action mail
Debug EEM action mail debugging is on

Now we will shut the interface on R2:

R2(config)#interface GigabitEthernet 0/1
R2(config-if)#shutdown

Here’s what happens on R1:

R1#
%TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down
%HA_EM-6-LOG: IP_SLA_1_DOWN: IP SLA 1 is down

The first message is produced by object tracking. It notices that IP SLA has reported a failure. The second message is produced by EEM and it’s the first action that we configured, the syslog message.

Here’s the second EEM action:

R1#
%HA_EM-6-LOG: fh_send_mail:  : DEBUG(smtp_lib) : <?xml version="1.0" encoding="UTF-8" ?><fh_smtp_args><fh_smtp_port>25</fh_smtp_port><fh_smtp_secure>0</fh_smtp_secure></fh_smtp_args>
%HA_EM-6-LOG: IP_SLA_1_DOWN : DEBUG(smtp_lib) : smtp_connect_attempt: 1

Above you can see that EEM is attempting to send the email. I don’t have any mailservers that are reachable but this proves that the EEM action is working.

Configurations

Want to take a look for yourself? Here you will find the final configuration of each device.

R1

hostname R1
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet0/1
 ip address 192.168.12.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
ip sla 1
 icmp-echo 192.168.12.2
 frequency 10
ip sla schedule 1 life forever start-time now
!
event manager applet IP_SLA_1_DOWN
 event track 1 state down
 action 1.0 syslog msg "IP SLA 1 is down"
 action 2.0 mail server "smtp.mailserver.local" to "support@networklessons.com" from "support@networklessons.com" subject "IP SLA 1 is down" body "IP SLA 1 is not receiving ICMP echo replies anymore"
event manager applet IP_SLA_1_UP
 event track 1 state up
 action 1.0 syslog msg "IP SLA 1 is up"
!
end

R2

hostname R2
!
interface GigabitEthernet0/1
 ip address 192.168.12.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
control-plane
!
end

Conclusion

Combining IP SLA and EEM works very well and it might be a wise idea to implement this. With the actions that EEM offers we can be notified immediately when IP SLA is having any issues. I hope this has been useful, if you have any questions feel free to leave a comment in our forum.

Tags: ,

Forum Replies

  1. This shows how to send one alert when the ping fails. But how would configure to send recurring alerts - for example every hour while the ping is failing ?

  2. Hello Charles

    The EEM scripting language is quite detailed and powerful and is able to implement various configurations including periodically sending an update of the status of a specific value. This is done using the Watchdog periodic timer event. You can find out more about this at this Cisco link:

    https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/monitor-eem.html#73834

    For a general command reference of EEM you can see the following link:

    https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/eem/configuration/xe-3

    ... Continue reading in our forum

  3. Thanks for the replay. I discovered from reading the documentation and opening a Cisco TAC ticket that i cannot send multiple alerts on the back of one snmp trap. I will check with Solarwinds our monitoring system if there is a way to do this.

    From Cisco TAC :slight_smile: there is no way to generate more than alert for the same event, because the alert is already triggered by the syslog, and if only one sysreport generated this will send only one alert,

  4. Hello Charles

    That’s great info, thanks for sharing your experience. It is appreciated!

    Laz

  5. Hello,
    I am using EEM to track an IP SLA and in case it’s DOWN, I would want to send an SNMP-TRAP to NMS. IP SLA and Track works perfectly, however, the SNMP traps are not being sent. Please review my code and advise if I am missing something. Thanks.

    rt-1#debug snmp packets
SNMP packet debugging is on

rt-1#sho run | s event
snmp-server enable traps event-manager
event manager applet TRACK_IP_DOWN
 event track 1 state down
 action 1.0 syslog msg "IP SLA 100 is down"
 action 2.0 mail server "smtp-1.local" to "networkadmins@local" from "no-reply@local" subject "
    ... Continue reading in our forum

11 more replies! Ask a question or join the discussion by visiting our Community Forum