2014/10/09

Automatic connectivity test on the router with EEM

Did you ever want to perform constant connectivity test to the different hosts on the Internet? You can use Embedded Event Manager for the task. EEM is part of the IOS software. I will show you how to use the EEM and TCL scripting for such task.

First you need to create TCL script, that will be used for connectivity test. You can find it bellow.

Router#more ping.tcl
set hosts {
{4.2.2.1}
{8.8.8.8}
{8.8.4.4}
}
set counter 0
set sucess_counter 0
set failed_hosts ""

foreach ip $hosts {
incr counter 1
set result [exec ping $ip]
puts $result
if {[regexp {!!!} $result]} {
incr sucess_counter 1
} else {
puts $ip
set failed_hosts "$failed_hosts  $ip"
}
}

set msg_output "Success rate $sucess_counter/$counter. Failed hosts: $failed_hosts"
[ios_config "event manager environment syslog_msg_output $msg_output"]

Let me first explain the flow of the script. The hosts variable is set with the command set host {}. You can include as many hosts on the Internet as you want. After that the three other variables are initialized. In the main part of the script ping command is performed for every hosts. If the result is at least three !, the test is successful and success_counter is increased. Otherwise failed host is added to the variable failed_hosts. After for loop is performed the text for the syslog message is created. The last step of the script is to add event manager environment variable to running config of the router. The variable name is syslog_msg_output and the value is the string msg_output.

After script is created and saved to the flash of the router, you need to tell your router what to do with the script. You can enter the following commands to the router running config.

event manager applet PING_TEST
 event timer watchdog time 300 maxrun 250
 action 0.5 cli command "enable"
 action 1.0 cli command "tclsh flash:ping.tcl"
 action 2.0 syslog msg "$syslog_msg_output$"
 action 3.0 cli command "configure terminal"
 action 4.0 cli command "no event manager environment syslog_msg_output"
 action 5.0 cli command "end"
 action 6.0 cli command "exit"


Let me explain what the commands above means. First create event manager applet. I have created the applet with the name PING_TEST. Next specify when this applet will be run. I run this applet every 300 seconds and let it run for the max of 250 seconds. It is important to trim these timers since you want to script to end before timeout (maxrun) expires. The default value is 20 seconds. After event timer has been set you can specify commands to be run in the applet. To run a script use "tclsh flash:ping.tcl" command and to create syslog message use syslog msg "$syslog_msg_output$". This will create syslog message with the text from event manager variable syslog_msg_output. After syslog message is created you can delete variable end exit.

It is time to test if script is working as expected. You can check logging buffer and you can see messages like this:

 %HA_EM-6-LOG: PING_TEST: Success rate 3/3. Failed hosts: $

If any of the hosts fail it will be listed under failed hosts and success rate will be adjusted accordingly to the test.

You are free to use this script in your environment. I hope you will find it usefully.

2014/05/13

Automatic Anyconnect VPN connection on untrusted networks

Often it is needed for the remote workers to have automatic VPN connection when they are outside of the company. You can use ASA and Anyconnect client to deploy such solution. In this blog post I will show you have to configure Cisco ASA to support Anyconnect for such deployment. Certificates will be used for authentication.

The first thing is to configure SSL VPN server on the Cisco ASA to use certificates for the authentication. I will skip certificate issuing procedure. Bellow you will find basic configuration for SSL VPN on the ASA.

webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
 anyconnect enable

ssl trust-point SSLVPN_CERT outside

group-policy SSLVPN_GP attributes
 dns-server value 192.168.1.10 192.168.1.11
 vpn-filter value SSLVPN_FW
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SSLVPN_SPLIT
 default-domain value example.com
 address-pools value SSLVPN_POOL

tunnel-group SSLVPN_TG type remote-access
tunnel-group SSLVPN_TG general-attributes
 default-group-policy SSLVPN_GP
tunnel-group SSLVPN_TG webvpn-attributes
 authentication certificate
 group-url https://vpn.example.com/auto enable


This is basic SSLVPN configuration and you can try to connect on the outside interface. The next step is to configure Anyconnect profile which will create policy for automatic VPN connection on untrusted networks. You can create Anyconnect profile via ASDM.

When you are connected to ASA with ASDM, click Configuration -> Remote Access VPN -> Network(Client) Access -> AnyConnect Client Profile. In this configuration mode you can add new Anyconnect profile. Click Add button and choose Profile Name and Profile Location. You can also apply this profile to Group Policy you have created in the previous step. But this could be also added later with the command. Click OK and Apply.

group-policy SSLVPN_GP attributes
 webvpn
  anyconnect profiles value AUTO type user


 

Now double click on the profile that has been created and configure profile.

Preference (Part 1)

  • Select User as certificate store.
 


Preference (Part 2)
  • Uncheck Disable Automatic Certificate Selection which will configure Anyconnect to automatically select correct certificate.
  • Check Automatic VPN Policy and select Disconnect on Trusted Network Policy and Connect on Untrusted Network Policy. You must also enter DNS domain name for your trusted network and you should also add DNS servers.
 

Certificate Matching
  • In this tab you can configure which certificate to use when connecting to the SSL VPN server. I have selected the ISSUER-CN.



Server List
  • You must add at least one server otherwise Certificate Matching will be ignored. Configure the same display name and host address as used in the tunnel-group.

 

After all this has been configured you are ready to test your connection. First you need to connect with Anyconnect manually, so that Anyconnect client download profile. After that you can connect to the Untrusted network and test if your Anyconnect client will connect automatically.