cisco.asa
cisco.asa copied to clipboard
asa_og: Issue when using state:replace with Port: 80 in port-groups
From @djedovica on Jul 08, 2020 09:12
SUMMARY
I have a port 80 in the port group on the firewall. When I send a task with state:replace the port 80 will always be removed from this group. When I send once again the same task, the port 80 will be created in this port group. By next attempt it will be removed, and then created etc. I get no errors from ansible.
I have also tested with other ports and the same problem appears with port 67. Other ports that I have tested seem to work properly (of course, I haven’t tested all possible ports).
The same problem appears when using port range with port 90 (Example: port_range: 80 90).
ISSUE TYPE
- Bug Report
COMPONENT NAME
asa_og
ANSIBLE VERSION
ansible 2.8.4
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
CONFIGURATION
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
DEFAULT_HASH_BEHAVIOUR(/etc/ansible/ansible.cfg) = merge
DEFAULT_PRIVATE_KEY_FILE(/etc/ansible/ansible.cfg) = /root/.ssh/id_rsa
DEFAULT_PRIVATE_ROLE_VARS(/etc/ansible/ansible.cfg) = True
DEFAULT_VAULT_PASSWORD_FILE(/etc/ansible/ansible.cfg) = /root/.ansible/vault.key
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PARAMIKO_HOST_KEY_AUTO_ADD(/etc/ansible/ansible.cfg) = True
PERSISTENT_CONNECT_TIMEOUT(/etc/ansible/ansible.cfg) = 30
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False
OS / ENVIRONMENT
Centos 7.7 Firewall: ASA 5515
STEPS TO REPRODUCE
I have two tasks: one for creating a port-group with state: present and second to edit a port-group with state: replace. The problem appears when I send a task with state:replace. This task is always going to delete port 80 from port-group. For example:
First task:
- name: configure port-object object-group
asa_og:
name: port_group_test_7
group_type: port-object
state: present
description: description
protocol: tcp-udp
port_eq:
- "80"
- "90"
port_range:
tags:
- port_group1
Second Task:
- name: configure port-object object-group
asa_og:
name: port_group_test_7
group_type: port-object
state: replace
description: description
protocol: tcp-udp
port_eq:
- "80"
- "91"
port_range:
tags:
- port_group1
In this example, the difference is that I have replaced port 90 with port 91. After executing Task 1, on the firewall is created a port-group with ports: 80 and 90 (there is no problem). After executing Task 2, the group on the firewall will contain only the port 91, the port 80 is deleted.
EXPECTED RESULTS
I expect that port group contains ports: 80, 91
ACTUAL RESULTS
After first execution: port group contains only port 91 After second execution: port group contains ports 80, 91 After third execution: port group contains only port 91 etc.
Copied from original issue: ansible/ansible#70518