I wrote below script to reload ASA firewall. The script reloads ASA
firewall but the fact that reload has happened does not get passed back to
ansible. So the script waits forever until command_timeout occurs. I tried
some alternate solutions and none of them worked:
1.
Changed connction type from network_cli to local but didn't help.
2.
Removed ASA_command module and used cli_command module with prompt
options but didn't work.
3.
Changed commnand from "reload noconfirm" to "reload noconfirm in 01" but
didn't help.
4.
Gave the 'reload noconfirm' using asa_config module but didn't help.
5.
Ran script with -vvvv option but didn't provide any useful insight.
Pasting output of the task when run with -vvvv below.
Please note prompt option doesn't seem to exists for asa_command module
(like it exists for ios_command module). So i had to use 'reload noconfirm'
command.
- name: RELOAD
asa_command:
commands: "reload noconfirm"
vars:
ansible_command_timeout: 180
connection: local
- name: WAIT FOR FIREWALL TO REBOOT
wait_for:
host: "{{ ansible_host }}"
port: 22
delay: 180
timeout: 4800
delegate_to: localhost
--------------------------------------------------------
- name: run command expecting user confirmation
cli_command:
command: reload
prompt: [confirm]
answer: y
vars:
ansible_command_timeout: 300
--------------------------------------------------------------------
OUTPUT WHEN -VVVV IS ENABLED:
TASK [RELOAD]
*****************************************************************************************************************************************************************************************************
task path: /root/AsaUpgradeSTANDALONE.yaml:121
redirecting (type: connection) ansible.builtin.network_cli to
ansible.netcommon.network_cli
redirecting (type: terminal) ansible.builtin.asa to cisco.asa.asa
redirecting (type: cliconf) ansible.builtin.asa to cisco.asa.asa
<10.82.86.253> attempting to start connection
<10.82.86.253> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /usr/bin/ansible-connection
<10.82.86.253> found existing local domain socket, using it!
<10.82.86.253> Response received, triggered
'persistent_buffer_read_timeout' timer of 0.1 seconds
<10.82.86.253> Response received, triggered
'persistent_buffer_read_timeout' timer of 0.1 seconds
<10.82.86.253> updating play_context for connection
<10.82.86.253>
<10.82.86.253> local domain socket path is /root/.ansible/pc/217564bb08
redirecting (type: action) ansible.builtin.asa to cisco.asa.asa
redirecting (type: action) ansible.builtin.asa to cisco.asa.asa
<10.82.86.253> ANSIBLE_NETWORK_IMPORT_MODULES: disabled
<10.82.86.253> ANSIBLE_NETWORK_IMPORT_MODULES: module execution time may be
extended
<10.82.86.253> ESTABLISH LOCAL CONNECTION FOR USER: root
<10.82.86.253> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo
/root/.ansible/tmp/ansible-local-99435r1nq464 `"&& mkdir "` echo
/root/.ansible/tmp/ansible-local-99435r1nq464/ansible-tmp-1634360158.3046613-10213-138442598470061
`" && echo ansible-tmp-1634360158.3046613-10213-138442598470061="` echo
/root/.ansible/tmp/ansible-local-99435r1nq464/ansible-tmp-1634360158.3046613-10213-138442598470061
`" ) && sleep 0'
redirecting (type: modules) ansible.builtin.asa_command to
cisco.asa.asa_command
Using module file
/root/.ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_command.py
<10.82.86.253> PUT
/root/.ansible/tmp/ansible-local-99435r1nq464/tmppz_j513g TO
/root/.ansible/tmp/ansible-local-99435r1nq464/ansible-tmp-1634360158.3046613-10213-138442598470061/AnsiballZ_asa_command.py
<10.82.86.253> EXEC /bin/sh -c 'chmod u+x
/root/.ansible/tmp/ansible-local-99435r1nq464/ansible-tmp-1634360158.3046613-10213-138442598470061/
/root/.ansible/tmp/ansible-local-99435r1nq464/ansible-tmp-1634360158.3046613-10213-138442598470061/AnsiballZ_asa_command.py
&& sleep 0'
<10.82.86.253> EXEC /bin/sh -c '/usr/bin/python3
/root/.ansible/tmp/ansible-local-99435r1nq464/ansible-tmp-1634360158.3046613-10213-138442598470061/AnsiballZ_asa_command.py
&& sleep 0'
<10.82.86.253> EXEC /bin/sh -c 'rm -f -r
/root/.ansible/tmp/ansible-local-99435r1nq464/ansible-tmp-1634360158.3046613-10213-138442598470061/
> /dev/null 2>&1 && sleep 0'
The full traceback is:
File
"/tmp/ansible_asa_command_payload_c2ij8p4i/ansible_asa_command_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/asa.py",
line 147, in run_commands
return connection.run_commands(commands=commands, check_rc=check_rc)
File
"/tmp/ansible_asa_command_payload_c2ij8p4i/ansible_asa_command_payload.zip/ansible/module_utils/connection.py",
line 195, in __rpc__
raise ConnectionError(to_text(msg, errors='surrogate_then_replace'),
code=code)
fatal: [FW50]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"authorize": null,
"commands": [
"reload noconfirm"
],
"context": null,
"interval": 1,
"match": "all",
"passwords": null,
"provider": null,
"retries": 10,
"wait_for": null
}
},
"msg": "command timeout triggered, timeout value is 900 secs.\nSee the
timeout setting options in the Network Debug and Troubleshooting Guide."
}
Regards,
Vikram
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/39a02ace-9f8f-4397-8b1a-132913cb3697n%40googlegroups.com.
