search

PaloAltoNetworks / pan-os-python

The PAN-OS SDK for Python is a package to help interact with Palo Alto Networks devices (including physical and virtualized Next-generation Firewalls and Panorama). The pan-os-python SDK is object oriented and mimics the traditional interaction with the device via the GUI or CLI/API.
https://pan-os-python.readthedocs.io
ISC License
345 stars 170 forks source link

PanSessionTimedOut and I think it's because there's no graceful disconnect? #289

Closed tom0010 closed 3 years ago

tom0010 commented 3 years ago

Describe the bug

I have a script that is monitoring the CPU cores in a PA device using the API call. This gets executed every 10 seconds or so, and I think the sessions are not closing cleanly, therefore that is why I think I am seeing this issue. I tried to look through the code but I couldn't see anything about a disconnect. In Netmiko for example, there is a function to disconnect the session. Now, I'm not sure if that is even needed here but I am lost if that is not the case.

Expected behavior

For the device to not timeout.

Current behavior

I am getting: 

Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/panos/base.py", line 3626, in method
    super_method(self, *args, **kwargs)
  File "/usr/lib/python3.8/site-packages/pan/xapi.py", line 951, in op
    self.__type_op(cmd, vsys, extra_qs)
  File "/usr/lib/python3.8/site-packages/pan/xapi.py", line 974, in __type_op
    raise PanXapiError(self.status_detail)
pan.xapi.PanXapiError: Session timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/python-modules/paloalto.py", line 32, in main
    output = device.op(command, xml=True, cmd_xml=False)
  File "/usr/lib/python3.8/site-packages/panos/firewall.py", line 207, in op
    return super(Firewall, self).op(
  File "/usr/lib/python3.8/site-packages/panos/base.py", line 3774, in op
    element = self.xapi.op(
  File "/usr/lib/python3.8/site-packages/panos/base.py", line 3645, in method
    raise the_exception
panos.errors.PanSessionTimedOut: Session timed out

Possible solution

Add a function to gracefully disconnect the session.

Steps to reproduce

Run every 10-30 seconds:

    device = firewall.Firewall(host, username, password, timeout=120, is_virtual=False, interval=10)
    command = ("<show><running><resource-monitor><minute><last>1"
               "</last></minute></resource-monitor></running></show>")
    output = device.op(command, xml=True, cmd_xml=False)
    output = xmltodict.parse(output)

I'm currently using telegraf to execute this multiple times.

Context

Trying to monitor DP cores and put the info into a timeseries DB.

Your Environment

welcome-to-palo-alto-networks[bot] commented 3 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

tom0010 commented 3 years ago

As a test, I switched over to using just python requests. I'm still getting some timeouts but no where near as many.

09:57:01,529 root DEBUG OrderedDict([('response', OrderedDict([('@status', 'unauth'), ('@code', '22'), ('msg', OrderedDict([('line', 'Session timed out')]))]))])

Not sure if you would like to investigate further or not. Happy to send more info if needed.

btorresgil commented 3 years ago

Hi @tom0010, sorry for the slow response, and happy holidays. Since this is happening outside the pan-os-python library, I recommend to open a TAC case to investigate. The PAN-OS API is a TAC supported product and they can look into why your sessions are timing out.

I'll close this issue for now, since it doesn't seem specific to the pan-os-python library. Thanks for following up.