search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
84 stars 48 forks source link

Connection token isn't valid after firmware upgrade/ha switchover / reauthentication needed #225

Open Serazio opened 1 year ago

Serazio commented 1 year ago

When upgrading the FortiGate firmware on a ha cluster via the following play, we get a 401 Unauthorized in the second task:

    - name: "Try upgrade"
      fortinet.fortios.fortios_monitor:
        selector: "upgrade.system.firmware"
        params:
          source: "fortiguard"
          filename: "{{ firmware_target.id }}"
      register: upgrade_data
      ignore_errors: true # set to true as the play should proceed 

    - name: "Wait and check if upgrade was successful"
      fortios_monitor_fact:
        selector: 'system_firmware'
      register: firmware_result
      until:
        - "firmware_result is not failed"
        - "firmware_result.meta.results.current.version == target_version"
      retries: 15
      delay: 20

Error:

fatal: [123.123.123.123]: FAILED! => {
    "attempts": 15,
    "changed": false,
    "invocation": {
        "module_args": {
            "access_token": null,
            "enable_log": false,
            "filters": null,
            "formatters": null,
            "params": null,
            "selector": "system_firmware",
            "selectors": null,
            "sorters": null,
            "vdom": "root"
        }
    },
    "meta": {
        "http_status": 401,
        "raw": "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>401 Unauthorized</title>\n</head><body>\n<h1>Unauthorized</h1>\n<p>This server could not verify that you\nare authorized to access the document\nrequested.  Either you supplied the wrong\ncredentials (e.g., bad password), or your\nbrowser doesn't understand how to supply\nthe credentials required.</p>\n<p>Additionally, a 401 Unauthorized\nerror was encountered while trying to use an ErrorDocument to handle the request.</p>\n</body></html>\n"
    },
    "msg": "Error in repo"
}

This seems to happen, as the failover/reboot of the units will invalidate the authentication token. Unfortunately no reauthentication is happen here.

Resetting the connection between both tasks via ansible.builtin.meta: reset_connection isnt working either.

This applies only, if authentication is done via user/password. In a playbook, where user/password or access token is used for triggering the upgrade and then switch to access token based auth for checking if the upgrade was successful, everything works fine.

foxpatil commented 1 year ago

Hello @Serazio,

Do you have a playbook which works for single fortigate host upgrade..?