Cisco IP SLA - How to generate SYSLOG messages for IP SLA status changes.

Just real quick. For example, you want to get a collect a basic statistics about internet connectivity disruptions - you would configure IP SLA job towards carriers router (your default gateway), enable logging into the buffer. By default, IOS does not generate SYSLOG messages for IP SLA status changes, you have to configure track. Here is an example.

ip sla 1
 icmp-jitter 192.168.1.2 source-ip 192.168.1.1 num-packets 3 interval 2000
  threshold 2000
  timeout 3000
  frequency 10
  exit
ip sla schedule 1 life forever start-time now

track 1 ip sla 1

logging buffered

BTW, I chose icmp-jitter type because it has better flexibility than icmp-echo. So, you will get the following result:

Apr  8 07:05:41.363: %TRACKING-5-STATE: 1 ip sla 2 state Up->Down
Apr  8 07:06:41.363: %TRACKING-5-STATE: 1 ip sla 2 state Down->Up

Show command for verification:

Router#show track
Track 1
  IP SLA 1 state
  State is Up
    5 changes, last change 01:26:00
  Latest operation return code: OK
  Latest RTT (millisecs) 52
Router#

We can go further and configure EEM to send us an email in case if status changes:

conf t

event manager applet Mail_Track_SLA_1
 event track 13 state any
 action 1.0 mail server "192.168.1.1" to "alexey@example.com" from "Router@example.com" subject "IP SLA1 status" body "IP SLA1 status has changed"

Show command for verification:

Router#show track
Track 1
  IP SLA 1 state
  State is Up
    5 changes, last change 01:38:24
  Latest operation return code: OK
  Latest RTT (millisecs) 48
  Tracked by:
    EEM applet Mail_Track_SLA_1
Router#

EEM applet for collecting traceroute after IP SLA down

Here is a simple example how to use EEM applet for collecting traceroute after IP SLA state goes DOWN.

event manager applet APPLET_NAME
 event track 13 state down maxrun 90
 action 001 syslog msg "--- Event detected ---"
 action 002 cli command "enable"
 action 003 puts "--- Executing: ping 8.8.8.8 ---"
 action 004 cli command "ping 8.8.8.8"
 action 005 puts "$_cli_result"
 action 006 puts "--- Executing: traceroute 8.8.8.8 ---"
 action 007 cli command "traceroute 8.8.8.8 numeric timeout 1 probe 2 ttl 1 25"
 action 008 puts "$_cli_result"
 action 009 puts "--- Action finished ---"

Notes:
• “enable” mode is required if you want to use advanced parameters for traceroute.
• You will see all the output in monitor (terminal monitor) and in logging buffer. Syslog messages will NOT be generated. If you need to send all the output as a syslog messages - read this thread (replace “action … puts “$_cli_result”" by “action … syslog msg “$_cli_result”").
• “maxrun 90” is required, we need to increase default runtime from default 20sec because traceroute command sometime takes much more time to complete. In other case, you will not get the result, debugs will say the following:

... EEM policy APPLET_NAME has exceeded it's elapsed time limit of 20.0 seconds

There’s an issue with the Cisco IOS, it uses UDP for traceroute. In most cases you will not see all hops. The best way is to use ICMP which Cisco IOS does not support. You can use Linux or Windows to create a script OR, if you have a Cisco ASA in your network, modify EEM applet to connect to ASA and run traceroute use-icmp. BTW, ASA version 9.2.1 and later does supports EEM - proof link.

• We have to use nested quotes, EEM 3.20 does not support them. We are going to use workaround - EEM variable for quote.
• During the tests, I figured out that it’s working only for remote connection to the Cisco IOS, Cisco ASA is not working that way. You can find more here.

event manager environment quote "

event manager applet APPLET_NAME
 event track 13 state down maxrun 90
 action 001 puts "--- Event detected ---"
 action 002 cli command "ssh -l USERNAME 10.1.1.1 $quote traceroute 8.8.8.8 numeric use-icmp $quote" pattern "word:"
 action 003 cli command "PASSWORD"
 action 004 puts "$_cli_result"

Admin area