search

ansible-collections / cisco.asa

Ansible Security Collection for Cisco ASA
GNU General Public License v3.0
60 stars 46 forks source link

Permission escalating failed when execute command against Cisco firewall #201

Open Akasurde opened 1 year ago

Akasurde commented 1 year ago

Summary

Hi folks,

I encountered an issue that relates to Cisco ASA firewall, I was told that command timeout triggered when run ansible-playbook command, here the environment info

I will see the timeout error message when I choose libssh as my SSH connection module:

fatal: [ASA]: FAILED! => {
    "changed": false,
    "module_stderr": "command timeout triggered, timeout value is 30 secs.\nSee the timeout setting options in the Network Debug and Troubleshooting Guide.",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

There will be another error message when I choose paramiko:

fatal: [DEGT-ASA-1]: FAILED! => {
    "changed": false,
    "module_stderr": "unable to elevate privilege to enable mode",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

The key problem here I think is it failed to enter Enable mode when connecting, because the same playbook I tried with ansible_become: false can be working properly.

Please find the configuration below:

# vars.yml
---
ansible_host: '192.168.1.10'
ansible_user: '{{ username }}'
ansible_password: '{{ password }}'
#ansible_become: true
ansible_become_method: ansible.netcommon.enable
ansible_enable_password: '{{ enable_password }}'

# Basic variables ;
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.asa.asa
ansible_python_interpreter: /usr/bin/python3
# playbook.yml
- name: Gather Cisco ASA Firewall Information
  hosts: "ASA"
  gather_facts: false 

  collections:
    - cisco.asa

  tasks:
    - name: Display version information
      cisco.asa.asa_command:
        commands:
          - "show version"
      register: version_info

    - name: Debugging Output
      debug:
        msg: "{{ version_info.stdout_lines  }}"
# ansible.cfg
[defaults]
host_key_checking=False
look_for_keys=False

Issue Type

Bug Report

Component Name

netcommon, cisco.asa

Ansible Version

$ ansible --version

ansible [core 2.14.6]
  config file = /home/ansible/Ansible/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True

Configuration

# if using a version older than ansible-core 2.12 you should omit the '-t all'
$ ansible-config dump --only-changed -t all

OS / Environment

DISTRIB_ID=Ubuntu DISTRIB_RELEASE=22.04 DISTRIB_CODENAME=jammy DISTRIB_DESCRIPTION="Ubuntu 22.04.2 LTS" PRETTY_NAME="Ubuntu 22.04.2 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.2 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy

Steps to Reproduce

- name: Gather Cisco ASA Firewall Information
  hosts: "ASA"
  gather_facts: false 

  collections:
    - cisco.asa

  tasks:
    - name: Display Version Information
      cisco.asa.asa_command:
        commands:
          - "show version"
      register: version_info

    - name: Debugging Output
      debug:
        msg: "{{ version_info.stdout_lines  }}"

Expected Results

Output with correct information of the device

Actual Results

fatal: [DEGT-ASA-1]: FAILED! => {
    "changed": false,
    "module_stderr": "command timeout triggered, timeout value is 30 secs.\nSee the timeout setting options in the Network Debug and Troubleshooting Guide.",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

Code of Conduct

Akasurde commented 1 year ago

cc @joeyxworks

max-macstadium commented 1 year ago

Having this issue as well. Running ASAv code version 984-25 did not have this issue. Moved up to 9-14-3 and this issue started to occur. Seems related to ASA code version.

joeyxworks commented 1 year ago

I finally got it around by changing ansible_enable_password to ansible_become_password in variable file. maybe you can give it a shot first, since some variables may have been deprecated or only worked in older version of Ansible, you can check the link here for reference. Thank you all in the problem resolving process!

max-macstadium commented 1 year ago

Tried both sets of password vars and still not working. What ASA code version are you running this against @joeyxworks? Here is my full list of host vars. name: "FW" ansible_host: "{{ host }}" ansible_user: admin ansible_password: "{{ password }}" ansible_ssh_common_args: "-o KexAlgorithms=diffie-hellman-group1-sha1 -o StrictHostKeyChecking=no" ansible_become: true ansible_become_method: ansible.netcommon.enable ansible_become_password: "{{ password }}" ansible_connection: ansible.netcommon.network_cli ansible_network_os: cisco.asa.asa ansible_python_interpreter: python