search

CiscoDevNet / terraform-provider-sdwan

Terraform Cisco SD-WAN Provider
https://registry.terraform.io/providers/CiscoDevNet/sdwan
Mozilla Public License 2.0
19 stars 11 forks source link

secure_internet_gateway_feature_template update fails with vManage error #202

Open cmohorea opened 5 months ago

cmohorea commented 5 months ago

I have a SIG template definition that is based on import of the existing template, and terraform plan considers it up to date, no changes needed. When I'm trying to modify it, device template attachment results in the configuration update failure (outbut below). It may be related to the fact that I don't have a backup interface in a pair (backup_interface = "None" in config). I tried to compare API call content TF vs vManage, only difference was the "priority-order" list under "ha-pairs"/"interface-pair" present in the vManage call.

│ Error: Client Error
│
│   with sdwan_attach_feature_device_template.CLOUD_GATEWAY-1,
│   on cnrail-cloud-lab1.tf line 301, in resource "sdwan_attach_feature_device_template" "CLOUD_GATEWAY-1":
│  301: resource "sdwan_attach_feature_device_template" "CLOUD_GATEWAY-1" {
│
│ Failed to attach device template, got error: Action push_feature_template_configuration-dfc512ae-ca35-44f6-af31-ec4bda5781f4 for device
│ C8K-13D2040A-1F7E-9772-CBAE-1E932C941182 failed. Activity log: ["[16-Apr-2024 21:08:09 UTC] Configuring device with feature template:
│ CLOUD_GATEWAY","[16-Apr-2024 21:08:09 UTC] Failed to update configuration - Error on line 114: missing element: backup-interface in
│ /vmanage-cfs:templates/vmanage-cfs:template[vmanage-cfs:template-name='vip_internal_temp_device_C8K-13D2040A-1F7E-9772-CBAE-1E932C941182-549a4477-c95b-45ea-a7a6-8bee0be30ffb']/vmanage-cfs:vpn/vmanage-cfs:vpn-instance[vmanage-cfs:vpn-id='0']/vmanage-cfs:service[vmanage-cfs:svc-type='sig']/vmanage-cfs:ha-pairs/vmanage-cfs:interface-pair\n"]

Resource definition for the reference:

resource "sdwan_cisco_secure_internet_gateway_feature_template" "CLOUD_SIG" {
  name = "CLOUD_SIG"
  description = "IPsec for TACACS"
  device_types = local.cloud_devices
  vpn_id = 0
  interfaces =   [
    {
      application = "sig",
      auto_tunnel_mode = false,
      dead_peer_detection_interval = 10,
      dead_peer_detection_retries = 2,
      ike_group = "14",
      ike_pre_shared_key = "*",
      ike_rekey_interval = 86400,
      ike_version = 2,
      ip_unnumbered = true,
      ipsec_ciphersuite = "aes256-cbc-sha256",
      ipsec_perfect_forward_secrecy = "group-14",
      ipsec_rekey_interval = 28800,
      name = "ipsec2",
      sig_provider = "secure-internet-gateway-other",
      tunnel_destination = "x.x.x.x",
      tunnel_route_via = "GigabitEthernet2",
      tunnel_source_interface = "GigabitEthernet2",
    }
  ]
  services =   [
    {
      interface_pairs = [
        {
          active_interface = "ipsec2",
          active_interface_weight = 1,
          backup_interface = "None",
          backup_interface_weight = 1,
        }
      ],
      service_type = "sig",
    }
  ]
  tracker_source_ip = "10.100.0.1/32"
}
danischm commented 5 months ago

I don't think it is related to "priority-order", as this typically should not make a difference. Can you try removing the "backup_interface" and "backup_interface_weight" attributes from your resource?

cmohorea commented 5 months ago

Those seems to be mandatory:

│ Error: Client Error
│
│   with sdwan_cisco_secure_internet_gateway_feature_template.CLOUD_SIG,
│   on cnrail-lab1-cloud.tf line 129, in resource "sdwan_cisco_secure_internet_gateway_feature_template" "CLOUD_SIG":
│  129: resource "sdwan_cisco_secure_internet_gateway_feature_template" "CLOUD_SIG" {
│
│ Failed to configure object (PUT), got error: HTTP Request failed: StatusCode 500, {"error":{"message":"Server
│ error","details":"vManage server experience an unexpected error,If the problem persists, please contact your
│ administrator for details.","code":"REST0001"}}
danischm commented 5 months ago

Checking the payload generated when configuring this from the GUI, it looks like the interface pair needs to be configured like this, if there is no backup interface:

      interface_pairs = [
        {
          active_interface = "ipsec2",
          active_interface_weight = 1,
          backup_interface = "_blank",
          backup_interface_weight = 1,
        }
      ]
cmohorea commented 5 months ago

I think I saw same "None" in the vManage's API call. Anyway, same error with the "_blank". Is there a way to see this config around "line 114" ?


│ Error: Client Error
│
│   with sdwan_attach_feature_device_template.CLOUD_GATEWAY-1,
│   on cnrail-lab1-cloud.tf line 301, in resource "sdwan_attach_feature_device_template" "CLOUD_GATEWAY-1":
│  301: resource "sdwan_attach_feature_device_template" "CLOUD_GATEWAY-1" {
│
│ Failed to attach device template, got error: Action
│ push_feature_template_configuration-aac18172-d3fd-4745-a573-8c4fdb80b8eb for device
│ C8K-13D2040A-1F7E-9772-CBAE-1E932C941182 failed. Activity log: ["[17-Apr-2024 19:39:49 UTC] Configuring device
│ with feature template: CLOUD_GATEWAY","[17-Apr-2024 19:39:49 UTC] Failed to update configuration - Error on line
│ 114: missing element: backup-interface in
│ /vmanage-cfs:templates/vmanage-cfs:template[vmanage-cfs:template-name='vip_internal_temp_device_C8K-13D2040A-1F7E-9772-CBAE-1E932C941182-532fa8b6-17bc-4a58-8ee6-a61086137e93']/vmanage-cfs:vpn/vmanage-cfs:vpn-instance[vmanage-cfs:vpn-id='0']/vmanage-cfs:service[vmanage-cfs:svc-type='sig']/vmanage-cfs:ha-pairs/vmanage-cfs:interface-pair\n"]```