You are missing a bit more specifics on your event definition… It just doesn’t match a reaction event from IP SLA.


If you look here:



You can see that there are quite a few options to set what exactly you want to trigger on with regards to IP SLA.

I think you have to define reactions or triggers to match on IP SLA related events (events being state transitions… up to down, down to up, threshold limits, etc)


To be honest, I got best results from EEM and IP SLA by EEM matching on the syslog messages IP SLA produces…



working on an EEM script which is triggered by an IP SLA down

> state on an ASR1000 running IOS-XE 3.11.1S.  While the IP SLA entry

> detects the state properly, the EEM does not trigger.  I’m not finding

> anything relevant on the bug toolkit, and I am not seeing anything

> with my Google-fu.


> Here’s the configuration:


> ip sla 1

>   icmp-echo source-ip

>   vrf GREEN

>   tag SITE-DOWN

>   frequency 5

> ip sla schedule 1 life forever start-time now !

> event manager applet SITE-DOWN

>   description Site is down

>   event ipsla operation-id 1

>   action 1.0 syslog priority critical msg “ALERT: Site is down”

> !


> And here is what I see when I look the status of the IP SLA entry and

> the EEM entry.  IP SLA looks fine, the EEM isn’t triggering despite

> being registered.



> rtr5#sh ip sla statistics 1

> IPSLAs Latest Operation Statistics


> IPSLA operation id: 1

>         Latest RTT: NoConnection/Busy/Timeout Latest operation start

> time: 11:42:21 EST Mon Jan 18 2016 Latest operation return code:

> Timeout Number of successes: 0 Number of failures: 301 Operation time

> to live: Forever !

> rtr5#sh event manager policy registered

> No.  Class     Type    Event Type          Trap  Time Registered

>     Name

> 1    applet    user    ipsla               Off   Mon Jan 18 11:24:46

> 2016  SITE-DOWN

>   operation-id {1}

>   maxrun 20.000

>   action 1.0 syslog priority critical msg “ALERT: Site is down”

> !

> rtr5sh event manager statistics policy


>                                         Average        Maximum

> No.  Class     Triggered   Suppressed  Run Time       Run Time       Name


> ——————————————————————————-

> 1    applet    0           0           0.000          0.000


event {} ipsla




>(Specifically what I’m looking for is something that hooks into IP SLA

>or Ethernet OAM/CFM and takes a link out of IGP routing if packet loss

>crosses a certain threshold – we recently had a carrier break their

>metro network in interesting ways, leading to 50% packet loss, which

>was enough to effectively take the site offline, but IGP stubbornly

>clung to “I have seen a keepalive!”)


something like this could get you started, Gert?


1) Trigger based on SNMP interface error counters.

Rate is always calculated per second. Average factor identifies number of data points (one for each poll-interval) will be averaged for calculation of rate. Average factor needs to be a minimum of 2.


event manager applet INTERFACE-ERROS trap event snmp oid ifEntry.14.XX get-type exact entry-op ge entry-val 10 entry-type rate average-factor 2 poll-interval 5 action 20.0 syslog msg “disabling Gigxxx due to errors”

action 30.0 cli command “enable”

action 30.1 cli command “config terminal”

action 40.0 cli command “interface Gig XX”

action 50.0 cli command “ip ospf cost 9999”

action 60.0 cli command “end”


and a reverse to reduce the cost back in case error rates falls below a threshold?


you can also trigger based on IP-SLA, for example below trigger


2) Trigger based on RTT delay mib:

Use RTT delay mib associated with RTR probes to trigger when the delay is too long. rttMonLatestJitterOperRTTSum shows the sum of delays for probes sent during the last interval. By default 10 probes are sent. To trigger on 10ms RTT delay trigger value must be set below 100.


event manager applet TEST3-SNMP-RTT-Delay trap event snmp oid rttMonLatestJitterOperRTTSum.1 get-type exact entry-op ge entry-val 90 entry-type value exit-op le exit-val 20 poll-interval 10 […]


for Ethernet OAM/CFM, you could hook EEM into the syslog messages produced by the syslog? You can also parse the syslog string using regexp, check the applet I found somewhere:


event manager applet TunnelLost

event syslog occurs 1 pattern “OSPF-5-ADJCHG.*on Tunnel.*FULL to DOWN”

period 1

action 100 regexp “on (Tunnel[0-9]+) from” “$_syslog_msg” match ifname  action 200 if $_regexp_result eq 1  action 210  cli command “show interface $ifname | include Description:”