cisco.asa icon indicating copy to clipboard operation
cisco.asa copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

cisco.asa.asa_command module not working with backup command

Open iamgini opened this issue 3 years ago • 10 comments

SUMMARY

Since the cisco.asa.asa_config module backup is downloading the backup to localmachine, we are using the cisco.asa.asa_command module and run arbitrary commands to take the backup directly to the TFTP server as follows.

- name: Take Cisco ASA Backup
  cisco.asa.asa_command:
    commands:
      - copy /noconfirm running-config tftp://{{ tftp_server }}/{{ backup_filename }}
  register: tftp_copy_status

But the command fails with below message

 "msg": "/noconfirm running-config tftp://10.1.10.10/ASA-DEMO$\\r\\n\\r\\n/noconfirm running-config tftp://10.1.10.10/ASA-DEMO0817-150814.cfg\\r\\n^\\r\\nERROR: % Invalid input detected at '^' marker.\\r\\n\\rASA-DEMO> "
}
ISSUE TYPE
  • Bug Report
COMPONENT NAME

asa_command

ANSIBLE VERSION
ansible-playbook [core 2.12.1]
  config file = /runner/project/ansible.cfg
  configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/runner/project/collections:/home/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.8.8 (default, Aug 11 2021, 06:52:42) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 2.10.3
  libyaml = True
Using /runner/project/ansible.cfg as config file
COLLECTION VERSION
$  ansible-galaxy collection list |grep asa
cisco.asa              3.0.0
CONFIGURATION
NA
OS / ENVIRONMENT

Ansible: Red Hat Enterprise Linux 8.5.0-3 (Ansible execution environment container image; also tested on different machine with Python virtual environment)

Cisco ASA:

Cisco Adaptive Security Appliance Software Version 9.9(2)27
Firepower Extensible Operating System Version 2.3(1.117)
Device Manager Version 7.6(1)
Compiled on Thu 11-Oct-18 20:12 PDT by builders
System image file is "disk0:/asa992-<retracted>"
Config file at boot was "startup-config"
ASA-DEMO up 22 days 7 hours
Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash <retracted>
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1
<retracted>
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual
This platform has a Base license.
Serial Number: <retracted>
Running Permanent Activation Key: <retracted>
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration last modified by <retracted>
STEPS TO REPRODUCE

Execute the following playbook on one or more Cisco ASA device.

- name: Take Cisco ASA Backup
  cisco.asa.asa_command:
    commands:
      - copy /noconfirm running-config tftp://{{ tftp_server }}/{{ backup_filename }}
  register: tftp_copy_status
  • name: Take Cisco ASA Backup cisco.asa.asa_command: commands: - copy /noconfirm running-config tftp://{{ tftp_server }}/{{ backup_filename }} register: tftp_copy_status
EXPECTED RESULTS

The command executes successfully and the backup file transfer to the TFTP server.

ACTUAL RESULTS

Task fails with following error message

The full traceback is:
  File "/runner/project/collections/ansible_collections/cisco/asa/plugins/module_utils/network/asa/asa.py", line 147, in run_commands
    return connection.run_commands(commands=commands, check_rc=check_rc)
  File "/usr/lib/python3.8/site-packages/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [ASA-DEMO]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "authorize": null,
            "commands": [
                "copy /noconfirm running-config tftp://10.1.10.10/ASA-DEMO-20220817-151253.cfg"
            ],
            "context": null,
            "interval": 1,
            "match": "all",
            "passwords": null,
            "provider": null,
            "retries": 10,
            "wait_for": null
        }
    },
   "msg": "/noconfirm running-config tftp://10.1.10.10/ASA-DEMO$\\r\\n\\r\\n/noconfirm running-config tftp://10.1.10.10/ASA-DEMO0817-150814.cfg\\r\\n^\\r\\nERROR: % Invalid input detected at '^' marker.\\r\\n\\rASA-DEMO> "
}

iamgini avatar Aug 23 '22 02:08 iamgini

@ginigangadharan Thanks for raising the issue, I wanted to check if you're able to achieve the expected outcome from the cmd: copy /noconfirm running-config tftp://10.1.10.10/ASA-DEMO-20220817-151253.cfg when directly fired through Cisco ASA config, as invalid input is the error received from the ASA config.

justjais avatar Sep 06 '22 13:09 justjais

Hi @justjais Yes, I am able to run the same command from the switch console manually without any issue and the command will complete successfully.

iamgini avatar Sep 06 '22 13:09 iamgini

@ginigangadharan Thanks for the quick response, I'll triage the issue and update asap

justjais avatar Sep 06 '22 13:09 justjais

Thank you @justjais I am trying from my side as well but couldnt find the issue.

I will wait for your update.

iamgini avatar Sep 06 '22 13:09 iamgini

Hi @justjais, Just checking if you find any good news on this.

Thank you :D

iamgini avatar Sep 14 '22 07:09 iamgini

@ginigangadharan please excuse me for the delayed response, the entire team was involved in Ansiblefest which got concluded recently. I'll triage the issue and update you ASAP.

justjais avatar Nov 02 '22 10:11 justjais

@justjais thank you so much. Hope you had great experience there in AnsibleFest :)

iamgini avatar Nov 03 '22 03:11 iamgini

@ginigangadharan I've verified the issue from my end but I am unable to reproduce the said error, please find my config below: Play:

---
- name: CISCO ASA tasks
  hosts: asa
  collections:
    - cisco.asa
  gather_facts: false
  vars:
    tftp_server: 10.1.10.10
    backup_filename: ASA-backup-test
  tasks:
    - name: Take Cisco ASA Backup
      tags: asa_177
      cisco.asa.asa_command:
        commands:
          - "copy /noconfirm running-config tftp://{{ tftp_server }}/{{ backup_filename }}"
      register: tftp_copy_status

Inventory:

[asa:vars]
ansible_ssh_host=44.242.148.15
ansible_user=admin
ansible_become=true
ansible_become_method=ansible.netcommon.enable
ansible_become_pass=admin
ansible_connection=network_cli
ansible_network_os=asa
ansible_python_interpreter=python

Ansible version:

ansible-playbook [core 2.13.5]
  config file = ./ansible.cfg
  configured module search path = ['.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /Users/sjaiswal/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.9.13 (main, May 24 2022, 21:28:44) [Clang 13.0.0 (clang-1300.0.29.30)]
  jinja version = 3.0.1
  libyaml = True

Play run:

ok: [44.242.148.15] => changed=false
  invocation:
    module_args:
      authorize: null
      commands:
      - copy /noconfirm running-config tftp://10.1.10.10/ASA-backup-test
      context: null
      interval: 1
      match: all
      passwords: null
      provider: null
      retries: 10
      wait_for: null
  stdout:
  - |-
    Cryptochecksum: 5646dd91 76be5088 1b625b61 bdc47e3b

    %Error writing tftp://10.1.10.10/ASA-backup-test (Timed out attempting to connect)
  stdout_lines: <omitted>
META: ran handlers
META: ran handlers

PLAY RECAP ***********************************************************************************************************************************************************************
44.242.148.15              : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Cisco ASA detail:

Cisco Adaptive Security Appliance Software Version 9.18(1)
SSP Operating System Version 2.12(0.31)
Device Manager Version 7.18(1)

Can you run the play appending -vvvv with play run to get the detailed verbose output and share the play run?

justjais avatar Nov 07 '22 14:11 justjais

@ginigangadharan were you able to check on this issue?

justjais avatar Dec 01 '22 13:12 justjais

@justjais apologies for my delayed response. I have tried but it was not working. I missed to collect and share the logs. I will try and update you by next week (as I am travelling now)

Thank you for checking this.

iamgini avatar Dec 01 '22 13:12 iamgini