I have been tasked with backing up all of our network devices, so natuarally I chose ansible. I am no expert but I sure need help on this one! I have tried everything under the moon and cannot figure it out, neither has chat-gpt. The ansible ping module works successfully and the debug output shows its getting some of the data from 'sh run' however its still failing. I can login manually and run both commands with no errors. The two commands I am using are 'terminal pager 0' and 'sh run' I am using the cisco.asa.asa module. I havs also tried using the wait for directive, but maybe I did it wrong. Here is my yaml file with more details the cfg, debug output etc. Yamllint and --sytax-check show no errors. Thank you! Much appreciated!!
Errors:
[root@ho-lx-ansible01 networking]# play -vvvv mynewtest.zz.yml > .out 2>&1
ansible-playbook [core 2.13.3]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible-playbook
python version = 3.9.13 (main, Nov 16 2022, 15:11:16) [GCC 8.5.0 20210514 (Red Hat 8.5.0-15.0.1)]
jinja version = 3.1.2
libyaml = True
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading collection cisco.asa from /root/.ansible/collections/ansible_collections/cisco/asa
redirecting (type: action) cisco.asa.asa_facts to cisco.asa.asa
Loading collection ansible.netcommon from /root/.ansible/collections/ansible_collections/ansible/netcommon
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading collection community.general from /usr/share/ansible/collections/ansible_collections/community/general
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading callback plugin community.general.yaml of type stdout, v2.0 from /usr/share/ansible/collections/ansible_collections/community/general/plugins/callback/yaml.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: mynewtest.zz.yml *****************************************************
Positional arguments: mynewtest.zz.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/hosts',)
forks: 10
1 plays in mynewtest.zz.yml
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
PLAY [Backup ASA Configuration] ************************************************
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
META: ran handlers
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
redirecting (type: action) cisco.asa.asa_facts to cisco.asa.asa
TASK [Show running config] *****************************************************
task path: /etc/ansible/playbooks/networking/mynewtest.zz.yml:21
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<zzasaXXX.ad.XXX.com> attempting to start connection
<zzasaXXX.ad.XXX.com> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /usr/bin/ansible-connection
<zzasaXXX.ad.XXX.com> local domain socket does not exist, starting it
<zzasaXXX.ad.XXX.com> control socket path is /root/.ansible/pc/f2e7921f36
<zzasaXXX.ad.XXX.com> redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
<zzasaXXX.ad.XXX.com> Loading collection ansible.netcommon from /root/.ansible/collections/ansible_collections/ansible/netcommon
<zzasaXXX.ad.XXX.com> Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<zzasaXXX.ad.XXX.com> Loading collection cisco.asa from /root/.ansible/collections/ansible_collections/cisco/asa
<zzasaXXX.ad.XXX.com> local domain socket listeners started successfully
<zzasaXXX.ad.XXX.com> loaded cliconf plugin ansible_collections.cisco.asa.plugins.cliconf.asa from path /root/.ansible/collections/ansible_collections/cisco/asa/plugins/cliconf/asa.py for network_os cisco.asa.asa
<zzasaXXX.ad.XXX.com> ssh type is set to libssh
<zzasaXXX.ad.XXX.com>
<zzasaXXX.ad.XXX.com> local domain socket path is /root/.ansible/pc/f2e7921f36
redirecting (type: action) cisco.asa.asa_facts to cisco.asa.asa
redirecting (type: action) cisco.asa.asa_facts to cisco.asa.asa
<zzasaXXX.ad.XXX.com> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<zzasaXXX.ad.XXX.com> ANSIBLE_NETWORK_IMPORT_MODULES: found cisco.asa.asa_facts at /root/.ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_facts.py
<zzasaXXX.ad.XXX.com> ANSIBLE_NETWORK_IMPORT_MODULES: running cisco.asa.asa_facts
<zzasaXXX.ad.XXX.com> ANSIBLE_NETWORK_IMPORT_MODULES: complete
ok: [zzasaXXX] => changed=false
ansible_facts:
ansible_net_api: cliconf
ansible_net_asatype: null
ansible_net_config: |2-
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JAD203707VN
Running Permanent Activation Key: 0xd221e25c 0x985012a5 0xa44219b4 0xb740ccb0 0x013303a6
Configuration register is 0x1
FPGA UPGRADE Version : 3.0
FPGA GOLDEN Version : 3.0
ROMMON Version : 1.1.18
Image type : Release
Key Version : A
Configuration last modified by XXX\alamonda at 11:24:47.301 EDT Wed May 3 2023
ZZASAP01# running-config
^
ERROR: % Invalid input detected at '^' marker.
ZZASAP01#
ansible_net_device_mgr_version: 7.19(1)90
ansible_net_gather_network_resources: []
ansible_net_gather_subset:
- default
- config
ansible_net_hostname: ZZASAP01
ansible_net_image: disk0:/asa9-16-3-23-lfbff-k8.SPA
ansible_net_python_version: 3.9.13
ansible_net_serialnum: null
ansible_net_system: asa
ansible_net_version: 9.16(3)23
ansible_network_resources: {}
invocation:
module_args:
context: null
gather_network_resources: null
gather_subset:
- config
passwords: null
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
TASK [show output] *************************************************************
task path: /etc/ansible/playbooks/networking/mynewtest.zz.yml:27
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<zzasaXXX.ad.XXX.com> attempting to start connection
<zzasaXXX.ad.XXX.com> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /usr/bin/ansible-connection
<zzasaXXX.ad.XXX.com> found existing local domain socket, using it!
<zzasaXXX.ad.XXX.com> invoked shell using ssh_type: libssh
<zzasaXXX.ad.XXX.com> ssh connection done, setting terminal
<zzasaXXX.ad.XXX.com> loaded terminal plugin for network_os cisco.asa.asa
<zzasaXXX.ad.XXX.com> firing event: on_open_shell()
[WARNING]: on_open_shell: failed to set terminal parameters
<zzasaXXX.ad.XXX.com> ssh connection has completed successfully
<zzasaXXX.ad.XXX.com> updating play_context for connection
<zzasaXXX.ad.XXX.com>
<zzasaXXX.ad.XXX.com> local domain socket path is /root/.ansible/pc/f2e7921f36
ok: [zzasaXXX] =>
ansible_net_config:
ansible_facts:
ansible_net_api: cliconf
ansible_net_asatype: null
ansible_net_config: |2-
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JAD203707VN
Running Permanent Activation Key: 0xd221e25c 0x985012a5 0xa44219b4 0xb740ccb0 0x013303a6
Configuration register is 0x1
FPGA UPGRADE Version : 3.0
FPGA GOLDEN Version : 3.0
ROMMON Version : 1.1.18
Image type : Release
Key Version : A
Configuration last modified by XXX\alamonda at 11:24:47.301 EDT Wed May 3 2023
ZZASAP01# running-config
^
ERROR: % Invalid input detected at '^' marker.
ZZASAP01#
ansible_net_device_mgr_version: 7.19(1)90
ansible_net_gather_network_resources: []
ansible_net_gather_subset:
- default
- config
ansible_net_hostname: ZZASAP01
ansible_net_image: disk0:/asa9-16-3-23-lfbff-k8.SPA
ansible_net_python_version: 3.9.13
ansible_net_serialnum: null
ansible_net_system: asa
ansible_net_version: 9.16(3)23
ansible_network_resources: {}
changed: false
failed: false
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
TASK [Save running config to a file] *******************************************
task path: /etc/ansible/playbooks/networking/mynewtest.zz.yml:31
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<zzasaXXX.ad.XXX.com> attempting to start connection
<zzasaXXX.ad.XXX.com> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /usr/bin/ansible-connection
<zzasaXXX.ad.XXX.com> found existing local domain socket, using it!
<zzasaXXX.ad.XXX.com> updating play_context for connection
<zzasaXXX.ad.XXX.com>
<zzasaXXX.ad.XXX.com> local domain socket path is /root/.ansible/pc/f2e7921f36
<zzasaXXX.ad.XXX.com> ESTABLISH LOCAL CONNECTION FOR USER: root
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-local-4699c2_f7d2s `"&& mkdir "` echo /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680 `" && echo ansible-tmp-1683226209.4103367-4714-216689891930680="` echo /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680 `" ) && sleep 0'
Using module file /usr/lib/python3.9/site-packages/ansible/modules/stat.py
<zzasaXXX.ad.XXX.com> PUT /root/.ansible/tmp/ansible-local-4699c2_f7d2s/tmppq9q72rm TO /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_stat.py
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/ /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_stat.py && sleep 0'
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c '/usr/bin/python3.9 /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_stat.py && sleep 0'
Using module file /usr/lib/python3.9/site-packages/ansible/modules/file.py
<zzasaXXX.ad.XXX.com> PUT /root/.ansible/tmp/ansible-local-4699c2_f7d2s/tmpkjnfx3s1 TO /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_file.py
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/ /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_file.py && sleep 0'
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c '/usr/bin/python3.9 /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_file.py && sleep 0'
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/ > /dev/null 2>&1 && sleep 0'
ok: [zzasaXXX] => changed=false
checksum: 5a6e3d377742ec32c0bb911561b81ade44373e96
dest: /mnt/zzasaXXX.runcfg
diff:
after:
path: /mnt/zzasaXXX.runcfg
before:
path: /mnt/zzasaXXX.runcfg
gid: 0
group: root
invocation:
module_args:
_diff_peek: null
_original_basename: tmpv40dwe82
access_time: null
access_time_format: '%Y%m%d%H%M.%S'
attributes: null
dest: /mnt/zzasaXXX.runcfg
follow: true
force: false
group: null
mode: null
modification_time: null
modification_time_format: '%Y%m%d%H%M.%S'
owner: null
path: /mnt/zzasaXXX.runcfg
recurse: false
selevel: null
serole: null
setype: null
seuser: null
src: null
state: file
unsafe_writes: false
mode: '0644'
owner: root
path: /mnt/zzasaXXX.runcfg
secontext: system_u:object_r:nfs_t:s0
size: 1326
state: file
uid: 0
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
META: ran handlers
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
META: ran handlers
PLAY RECAP *********************************************************************
zzasaXXX : ok=3 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
############
YAML and CFG:
---
- name: Backup ASA Configuration
hosts: zzasaXXX
gather_facts: false
collections:
- cisco.asa
- cisco.asa.asa_facts
- ansible.netcommon.net_get
vars:
# Encrypted variables
ansible_user: "{{ vault_net_user }}"
ansible_password: "{{ vault_net_pass }}"
vars_files:
- '/etc/ansible/group_vars/vault.yml'
tasks:
- name: Show running config
cisco.asa.asa_facts:
gather_subset:
- config
register: ansible_net_config
- name: show output
debug:
var: ansible_net_config
- name: Save running config to a file
copy:
content: "{{ ansible_net_config }}"
dest: "/mnt/{{ inventory_hostname }}.runcfg"
...
[root@ho-lx-ansible01 networking]# ls -al /mnt
total 76
drwxrwxrwx. 1 root root 72 May 4 14:49 .
dr-xr-xr-x. 18 root root 235 May 2 13:10 ..
-rwxrwxrwx. 1 root root 67434 May 4 14:19 foo
-rw-r--r--. 1 root root 1326 May 4 14:49 zzasap01.runcfg
###
SHOW VERSIONS on ASA
###
ZZASAP01# show version
Cisco Adaptive Security Appliance Software Version 9.16(3)23
SSP Operating System Version 2.10(1.214)
Device Manager Version 7.19(1)90
Compiled on Fri 09-Sep-22 18:14 GMT by builders
System image file is "disk0:/asa9-16-3-23-lfbff-k8.SPA"
Config file at boot was "startup-config"
ZZASAP01 up 82 days 23 hours
Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
Number of accelerators: 1
1: Ext: GigabitEthernet1/1 : address is 00a2.eef9.d683, irq 255
2: Ext: GigabitEthernet1/2 : address is 00a2.eef9.d684, irq 255
3: Ext: GigabitEthernet1/3 : address is 00a2.eef9.d685, irq 255
4: Ext: GigabitEthernet1/4 : address is 00a2.eef9.d686, irq 255
5: Ext: GigabitEthernet1/5 : address is 00a2.eef9.d687, irq 255
6: Ext: GigabitEthernet1/6 : address is 00a2.eef9.d688, irq 255
7: Ext: GigabitEthernet1/7 : address is 00a2.eef9.d689, irq 255
8: Ext: GigabitEthernet1/8 : address is 00a2.eef9.d68a, irq 255
9: Int: Internal-Data1/1 : address is 00a2.eef9.d682, irq 255
10: Int: Internal-Data1/2 : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3 : address is 0000.0001.0003, irq 0
13: Ext: Management1/1 : address is 00a2.eef9.d682, irq 0
14: Int: Internal-Data1/4 : address is 0000.0100.0001, irq 0
The Running Activation Key feature: 2 security contexts exceed the limit on the platform, reduced to 0 security contexts.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Serial Number: JAXXXXX
Running Permanent Activation Key XXXXXXXXXXXXXXX
Configuration register is 0x1
FPGA UPGRADE Version : 3.0
FPGA GOLDEN Version : 3.0
ROMMON Version : 1.1.18
Image type : Release
Key Version : A
Configuration last modified by mei\alamonda at 11:24:47.301 EDT Wed May 3 2023
ZZASAP01#
