Report interface loss based on OSPF neighbor loss

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

Description A core router has numerous point-to-point GRE-over-IPSec tunnels with remote sites and runs OSPF with them. Tunnel keepalives are not used; the only means of detecting interface failure is through the OSPF neighbor loss events.

The network manager would like to deploy e-mail notification on interface loss events. These e-mails should include interface description to simplify troubleshooting. While the OSPF-5-ADJCHG syslog message includes the interface name, it does not include its description.

Solution The regular expressions available in EEM 3.0 are used to extract interface name from the syslog message and interface description from the show interface command output.

The EEM applet is triggered by the OSPF-5-ADJCHG syslog message. It extracts the interface name from the syslog message and executes show interface command to retrieve interface description. The interface name and its description are sent to the network operator with the action mail command.

This topic and numerous other EEM topics are covered in the EEM Workshop

Applet source code

event manager applet TunnelLost
 event syslog occurs 1 pattern "OSPF-5-ADJCHG.*on Tunnel.*FULL to DOWN" period 1
 action 100 regexp "on (Tunnel[0-9]+) from" "$_syslog_msg" match ifname
 action 200 if $_regexp_result eq 1
 action 210  cli command "show interface $ifname | include Description:"
 action 220  set desc "*"
 action 230  regexp "Description: (.*)\r" "$_cli_result" match desc
 action 240  puts "$ifname DOWN ($desc)"
 action 300  info type routername
 action 310  mail server "$_mail_smtp" to "$_mail_rcpt" from "$_info_routername@$_mail_domain" →
   subject "$ifname DOWN ($desc)" body "\n$_syslog_msg"
 action 400 end

Additional configuration

The EEM applet expects several EEM environmental variables described in the Send e-mail from EEM applets article. A sample configuration is included in the following printout: 

event manager environment _mail_smtp 10.17.0.2
!
event manager environment _mail_domain example.com
event manager environment _mail_rcpt operator@example.com

Sample execution

A tunnel interface has been configured on the test router:

Tunnel interface configuration

interface Tunnel0
 description T0 -> FxRouter
 ip unnumbered Loopback0
 ip ospf hello-interval 1
 ip ospf dead-interval 5
 ip ospf 1 area 22
 tunnel source FastEthernet1/0
 tunnel destination 10.2.1.2

The following syslog messages were generated and an e-mail was sent to the specified e-mail address after the destination IP address became unreachable: 

%OSPF-5-ADJCHG: Process 1, Nbr 10.0.1.2 on Tunnel0 from FULL to DOWN, Neighbor Down: Dead timer expired
%HA_EM-6-LOG: TunnelLost: Tunnel0 DOWN (T0 -> FxRouter)
Retrieved from "http://wiki.nil.com/Report_interface_loss_based_on_OSPF_neighbor_loss"