[ansible-project] need assisatnce in writing script for active-standby ASA firewall

Sun, 08 Aug 2021 09:47:01 -0700 


I am trying to write a script for IOS upgrade of active-standby ASA 
firewall (failover pair).

2 firewalls are configured as Active-standby firewall for failover purpose. 
Which means if the active firewall goes down, standby firewall 
automatically becomes the active and standby also takes over the IP of 
active firewall and this is what creates hurdle in writing script for ASA.

Below is the script i have written for Routers and is successfully working 
but facing a challenge in writing similar script for ASA firewall. I have 
given the portion where script waits for router to come back UP after 
reboot and then checks if image is successfully upgraded. But when i 
upgrade and reboot active firewall, standby firewall would immediately 
become active and script would detect the wrong device to be UP and would 
be checking the ios image of wrong device.

I thought of writing multiple plays within same playbook wherein the 1st 
play would end after reboot and 2nd play would check the standby device 
(the active would have become standby after reboot since the earlier 
standby took over as active) but issue is firewall may take anywhere 
between 10-50 mins to reboot and come back UP. So my 2nd play would fail 
immediately unless i use wait_for module for certain minutes before 
continuing with 2nd play. Downside to this approach is many a times, 
firewall would come back earlier than the time set in wait_for module and 
precious time wasted.


 - name: WRITE TO MEMORY

        ios_config: 

          save_when: always

        vars:

          ansible_command_timeout: 180


      - name: RELOAD DEVICE

        ios_command:

          commands:

            - command: 'reload'

              prompt: '[confirm]'

              answer: 'y'

        vars:

          ansible_command_timeout: 180 


      - name: WAIT FOR ROUTER TO REBOOT

        wait_for:

          host: "{{ ansible_host }}"

          port: 22

          delay: 300

          timeout: 4800

        delegate_to: localhost


      - name: GATHER NEW DEVICE FACTS

        ios_facts:


      - assert:

          that:

          - ansible_net_version is version('16.12.04', '==')

          fail_msg: "IMAGE WAS NOT UPGRADED. PLAYBOOK IS ENDING"

          success_msg: "IMAGE HAS BEEN SUCCESSFULLY UPGRADED"              
   


Thanks,

Vikram

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/d1068dc0-0d8a-4b6d-85c4-963f722677c8n%40googlegroups.com.

Reply via email to