cisco.asa icon indicating copy to clipboard operation
cisco.asa copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

asa_og: Issue when using state:replace with Port: 80 in port-groups

Open Akasurde opened this issue 3 years ago • 2 comments

From @djedovica on Jul 08, 2020 09:12

SUMMARY

I have a port 80 in the port group on the firewall. When I send a task with state:replace the port 80 will always be removed from this group. When I send once again the same task, the port 80 will be created in this port group. By next attempt it will be removed, and then created etc. I get no errors from ansible.

I have also tested with other ports and the same problem appears with port 67. Other ports that I have tested seem to work properly (of course, I haven’t tested all possible ports).

The same problem appears when using port range with port 90 (Example: port_range: 80 90).

ISSUE TYPE
  • Bug Report
COMPONENT NAME

asa_og

ANSIBLE VERSION
ansible 2.8.4
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Aug  7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
CONFIGURATION
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
DEFAULT_HASH_BEHAVIOUR(/etc/ansible/ansible.cfg) = merge
DEFAULT_PRIVATE_KEY_FILE(/etc/ansible/ansible.cfg) = /root/.ssh/id_rsa
DEFAULT_PRIVATE_ROLE_VARS(/etc/ansible/ansible.cfg) = True
DEFAULT_VAULT_PASSWORD_FILE(/etc/ansible/ansible.cfg) = /root/.ansible/vault.key
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PARAMIKO_HOST_KEY_AUTO_ADD(/etc/ansible/ansible.cfg) = True
PERSISTENT_CONNECT_TIMEOUT(/etc/ansible/ansible.cfg) = 30
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False
OS / ENVIRONMENT

Centos 7.7 Firewall: ASA 5515

STEPS TO REPRODUCE

I have two tasks: one for creating a port-group with state: present and second to edit a port-group with state: replace. The problem appears when I send a task with state:replace. This task is always going to delete port 80 from port-group. For example:

First task:
- name: configure port-object object-group
  asa_og:
    name: port_group_test_7
    group_type: port-object
    state: present
    description: description
    protocol: tcp-udp
    port_eq:
      - "80"
      - "90"
    port_range:
  tags:
    - port_group1


Second Task:
- name: configure port-object object-group
  asa_og:
    name: port_group_test_7
    group_type: port-object
    state: replace
    description: description
    protocol: tcp-udp
    port_eq:
      - "80"
      - "91"
    port_range:
  tags:
    - port_group1

In this example, the difference is that I have replaced port 90 with port 91. After executing Task 1, on the firewall is created a port-group with ports: 80 and 90 (there is no problem). After executing Task 2, the group on the firewall will contain only the port 91, the port 80 is deleted.

EXPECTED RESULTS

I expect that port group contains ports: 80, 91

ACTUAL RESULTS

After first execution: port group contains only port 91 After second execution: port group contains ports 80, 91 After third execution: port group contains only port 91 etc.

Copied from original issue: ansible/ansible#70518

Akasurde avatar Jul 08 '20 09:07 Akasurde