cisco.asa
cisco.asa copied to clipboard
Permission escalating failed when execute command against Cisco firewall
Summary
Hi folks,
I encountered an issue that relates to Cisco ASA firewall, I was told that command timeout triggered when run ansible-playbook command, here the environment info
- OS: Ubuntu 22.04.2 LTS
- Ansible version: core 2.14.6
- Python: 3.10.6
I will see the timeout error message when I choose libssh as my SSH connection module:
fatal: [ASA]: FAILED! => {
"changed": false,
"module_stderr": "command timeout triggered, timeout value is 30 secs.\nSee the timeout setting options in the Network Debug and Troubleshooting Guide.",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}
There will be another error message when I choose paramiko:
fatal: [DEGT-ASA-1]: FAILED! => {
"changed": false,
"module_stderr": "unable to elevate privilege to enable mode",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}
The key problem here I think is it failed to enter Enable
mode when connecting, because the same playbook I tried with ansible_become: false
can be working properly.
Please find the configuration below:
# vars.yml
---
ansible_host: '192.168.1.10'
ansible_user: '{{ username }}'
ansible_password: '{{ password }}'
#ansible_become: true
ansible_become_method: ansible.netcommon.enable
ansible_enable_password: '{{ enable_password }}'
# Basic variables ;
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.asa.asa
ansible_python_interpreter: /usr/bin/python3
# playbook.yml
- name: Gather Cisco ASA Firewall Information
hosts: "ASA"
gather_facts: false
collections:
- cisco.asa
tasks:
- name: Display version information
cisco.asa.asa_command:
commands:
- "show version"
register: version_info
- name: Debugging Output
debug:
msg: "{{ version_info.stdout_lines }}"
# ansible.cfg
[defaults]
host_key_checking=False
look_for_keys=False
Issue Type
Bug Report
Component Name
netcommon, cisco.asa
Ansible Version
$ ansible --version
ansible [core 2.14.6]
config file = /home/ansible/Ansible/ansible.cfg
configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3)
jinja version = 3.0.3
libyaml = True
Configuration
# if using a version older than ansible-core 2.12 you should omit the '-t all'
$ ansible-config dump --only-changed -t all
OS / Environment
DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS" PRETTY_NAME="Ubuntu 22.04.2 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.2 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
Steps to Reproduce
- name: Gather Cisco ASA Firewall Information
hosts: "ASA"
gather_facts: false
collections:
- cisco.asa
tasks:
- name: Display Version Information
cisco.asa.asa_command:
commands:
- "show version"
register: version_info
- name: Debugging Output
debug:
msg: "{{ version_info.stdout_lines }}"
Expected Results
Output with correct information of the device
Actual Results
fatal: [DEGT-ASA-1]: FAILED! => {
"changed": false,
"module_stderr": "command timeout triggered, timeout value is 30 secs.\nSee the timeout setting options in the Network Debug and Troubleshooting Guide.",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}
Code of Conduct
- [X] I agree to follow the Ansible Code of Conduct