Closed meandus closed 6 years ago
same error after crearing PEER object manually
The error is related to the configuration - there are two peer types that you can specify 'engine' or 'external_bgp_peer'. In your example above you are using 'engine' which is expecting the name of a firewall engine. Change this to look like:
"bgp_peering": [
{
"external_bgp_peer": "PEER_NC1_to_Store13",
"interface_id": "1013",
"name": "Store13_to_phmbun1fmuta"
},
{
"external_bgp_peer": "PEER_NC2_to_Store13",
"interface_id": "2013",
"name": "Store13_to_phmbun2fmuta"
}
],
Since it is possible to do BGP between two SMC managed devices, engine is also an option to a 3rd party external bgp peer.
I just grab with engine_facts and changed to create a new node.
Le 16 mars 2018 12:32:37 GMT+01:00, David LePage notifications@github.com a écrit :
The error is related to the configuration - there are two peer types that you can specify 'engine' or 'external_bgp_peer'. In your example above you are using 'engine' which is expecting the name of a firewall engine. Change this to look like:
"bgp_peering": [ { "external_bgp_peer": "PEER_NC1_to_Store13", "interface_id": "1013", "name": "Store13_to_phmbun1fmuta" }, { "external_bgp_peer": "PEER_NC2_to_Store13", "interface_id": "2013", "name": "Store13_to_phmbun2fmuta" } ],
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373687039
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
Goal is also to create the external_bgp_peer but impossible to specify the destination Ip of the peer ... and comment as well ;)
Le 16 mars 2018 12:32:37 GMT+01:00, David LePage notifications@github.com a écrit :
The error is related to the configuration - there are two peer types that you can specify 'engine' or 'external_bgp_peer'. In your example above you are using 'engine' which is expecting the name of a firewall engine. Change this to look like:
"bgp_peering": [ { "external_bgp_peer": "PEER_NC1_to_Store13", "interface_id": "1013", "name": "Store13_to_phmbun1fmuta" }, { "external_bgp_peer": "PEER_NC2_to_Store13", "interface_id": "2013", "name": "Store13_to_phmbun2fmuta" } ],
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373687039
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
so the bug is in Engine_facts (engine instead of external_bgp_peer)
I just tried the latest posted engine_facts.yml and it appears to display the output properly:
Here is the yaml:
bgp_peering:
Can you confirm you have the latest engine_facts?
Understood on creating the BGP Peer. I will add this capability to simplify this.
Wow that one is pretty different of mine
i have no interface, no ip
i confirm, i did update on both pack this morning
Le 16/03/2018 à 17:54, David LePage a écrit :
I just tried the latest posted engine_facts.yml and it appears to display the output properly:
image https://user-images.githubusercontent.com/14811349/37533698-9607817c-2910-11e8-90a6-d37b087883c0.png
Here is the yaml:
bgp_peering:
- external_bgp_peer: bgppeer interface_id: '21.21' name: bgppeering network: 22.22.22.0/24
- engine: jackson interface_id: '67' name: bgppeering network: 67.67.67.0/24
Can you confirm you have the latest engine_facts?
Understood on creating the BGP Peer. I will add this capability to simplify this.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373776947, or mute the thread https://github.com/notifications/unsubscribe-auth/AEEKjDyC7feW3XsIcjWOYoGbr7dxC7xgks5te-5HgaJpZM4Std01.
What about bgp elements like routemap ip prefix external bgp peer. Is it possiblr to have example to create ?
RÉMY
Le 16 mars 2018 17:54:31 GMT+01:00, David LePage notifications@github.com a écrit :
I just tried the latest posted engine_facts.yml and it appears to display the output properly:
Here is the yaml:
bgp_peering:
- external_bgp_peer: bgppeer interface_id: '21.21' name: bgppeering network: 22.22.22.0/24
- engine: jackson interface_id: '67' name: bgppeering network: 67.67.67.0/24
Can you confirm you have the latest engine_facts?
Understood on creating the BGP Peer. I will add this capability to simplify this.
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373776947
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
-rw-r--r--. 1 adminappli users 6207 Mar 16 18:06 l3fw_cluster.yml
bgp_peering:
- engine: PEER_NC1
interface_id: '1014'
name: XXXX
- engine: PEER_NC2
interface_id: '2014'
name: XXXX
bgp_profile: Default BGP Profile
enabled: true
router_id: null
PEER_NC1 & PEER_NC2 are external_bgp_peer object
version is latest downloaded this morning from master branch
Do you have the latest engine_facts.yml? https://github.com/gabstopper/ansible-stonesoft/blob/master/library/engine_facts.py
Also, which version of SMC are you using? Just want to verify, i'm suspecting maybe the SMC version might be slightly older and the routing element type is not in that version. If you can verify I can adjust on my end if necessary.
ok, I have fixed this issue, it appears you may be using an older (i.e. SMC < 6.3.x) version. This will be part of next commit.
Yes im using 6.2.2 right now
Le 18 mars 2018 00:53:04 GMT+01:00, David LePage notifications@github.com a écrit :
ok, I have fixed this issue, it appears you may be using an older (i.e. SMC < 6.3.x) version. This will be part of next commit.
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373961484
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
Ok. This is resolved in the latest commit. There was an attribute in earlier versions that was not supported so the default behavior was to interpret as engine. For peers, i've almost finished a module that allows you to create all bgp elements, this will be complete and posted Monday.
Hi
Very good ! Let me know when its posted.
RÉMY POUCHAIN.
Le 19 mars 2018 04:36:18 GMT+01:00, David LePage notifications@github.com a écrit :
Ok. This is resolved in the latest commit. There was an attribute in earlier versions that was not supported so the default behavior was to interpret as engine. For peers, i've almost finished a module that allows you to create all bgp elements, this will be complete and posted Monday.
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374092011
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
Hi Remy, I have bgp_element posted, along with an example yaml file. I haven't finished the docs quite yet but those along with bgp_element_facts will be coming shortly. This module will allow you to create all bgp element types. See this yaml for an example for each of the element types: https://github.com/gabstopper/ansible-stonesoft/blob/master/playbooks/bgp_element.yml
You will also need to update smc-python as well. I will complete the bgp_element_facts and docs soon so I can start the interface schema changes.
For ip prefix list best is also to select an object to avoid create static object.
Need to specify route-map in bgppeering and connection profile
Minimum mask length in prefix is not a mandatory field in SMC should the same on Maximum.
RÉMY POUCHAIN.
Le 20 mars 2018 06:30:55 GMT+01:00, David LePage notifications@github.com a écrit :
Hi Remy, I have bgp_element posted, along with an example yaml file. I haven't finished the docs quite yet but those along with bgp_element_facts will be coming shortly. This module will allow you to create all bgp element types. See this yaml for an example for each of the element types: https://github.com/gabstopper/ansible-stonesoft/blob/master/playbooks/bgp_element.yml
You will also need to update smc-python as well. I will complete the bgp_element_facts and docs soon so I can start the interface schema changes.
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374481094
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
"module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 229, in <module>\n main()\n File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 226, in main\n StonesoftBGPElement()\n File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 54, in __init__\n super(StonesoftBGPElement, self).__init__(self.module_args, supports_check_mode=True)\n File \"/tmp/ansible_fuCzMq/ansible_modlib.zip/ansible/module_utils/stonesoft_util.py\", line 367, in __init__\n File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 73, in exec_module\n if self.create_or_update_element(element):\n File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 114, in create_or_update_element\n with_status=True, **values)\n File \"/usr/lib/python2.7/site-packages/smc_python-0.6.1_dev.201802262117-py2.7.egg/smc/routing/access_list.py\", line 131, in update_or_create\n print(\"Class view: %s not in: %s\" % cls._view(**entry))\nTypeError: not all arguments converted during string formatting\n",
"module_stdout": "Entry: {'action': 'permit', 'subnet': 'XX.XX.XX.XX/23', 'max_prefix_length': 32, 'min_prefix_length': 24}\n",
"msg": "MODULE FAILURE",
- ip_prefix_list:
name: PREFIX_LIST_FW13 <== this name does not work (accepted by SMC)
entries:
- subnet: 1.1.1.0/23
min_prefix_length: 24 <== i don't want to specify this and need to be greater than mask (not mandatory in SMC)
max_prefix_length: 32
action: permit
- subnet: 2.2.2.0/23
min_prefix_length: 24 <== i don't want to specify this and need to be greater than mask
max_prefix_length: 32
action: permit
Ahh, I didn't realize the prefix mask lengths were optional. I just verified that indeed they are. I will fix this and the errant print bug real quick so you can continue.
I just verified, I already support not using those fields in the smc-python API so will make an adjustment to current bgp_element mod. Posting back shortly.
And a little support for group instead of subnet will be appreciated ;)
Le 20 mars 2018 13:44:02 GMT+01:00, David LePage notifications@github.com a écrit :
Ahh, I didn't realize the prefix mask lengths were optional. I just verified that indeed they are. I will fix this and the errant print bug real quick so you can continue.
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374583889
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
Hi Remy, I will put that feature request in to the SMC team (i.e. adding groups as the subject of a access list entry).
Ok latest ansible commit c863422 posted. That will remove the ip prefix list check for min/max prefixes. Latest smc-python removes the errant print in the new update_or_create access list function. This will all be rolled up into an official smc-python release once I work through the interface schema next.
Hi Remy, One other thing you might notice, I am adding a better 'state' description when making an ansible run. For example, when you play the bgp_element task, you should see output from the state attribute like the following:
"state": [
{
"action": "created",
"name": "PREFIX_LIST_FW13",
"type": "ip_prefix_list"
},
{
"action": "created",
"name": "myservice2",
"type": "ip_access_list"
},
{
"action": "created",
"name": "aprefix",
"type": "ip_prefix_list"
},
Or if a change was made:
"state": [
{
"action": "modified",
"name": "aprefix",
"type": "ip_prefix_list"
}
]
Or if deleting (delete by setting state: absent and defining at least the bgp_element type and name: {'ip_access_list': {'name'}}
"state": [
{
"action": "deleted",
"name": "PREFIX_LIST_FW13",
"type": "ip_prefix_list"
},
Some time i have database error. Did you already see this issue ?
RÉMY POUCHAIN
Le 20 mars 2018 17:18:22 GMT+01:00, David LePage notifications@github.com a écrit :
Hi Remy, One other thing you might notice, I am adding a better 'state' description when making an ansible run. For example, when you play the bgp_element task, you should see output from the state attribute like the following:
"state": [ { "action": "created", "name": "PREFIX_LIST_FW13", "type": "ip_prefix_list" }, { "action": "created", "name": "myservice2", "type": "ip_access_list" }, { "action": "created", "name": "aprefix", "type": "ip_prefix_list" },
Or if a change was made:
"state": [ { "action": "modified", "name": "aprefix", "type": "ip_prefix_list" } ]
Or if deleting (delete by setting state: absent and defining at least the bgp_element type and name: {'ip_access_list': {'name'}}
"state": [ { "action": "deleted", "name": "PREFIX_LIST_FW13", "type": "ip_prefix_list" },
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374659974
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
I have seen this before - that message would be coming from the SMC API itself. It usually has to do with some sort of invalid input and may be an SMC side bug. Is it reproducible with a specific playbook? i.e. if you re-run the same playbook that causes the error, can you send me the smc.log output? Also, is it related to a specific configuration area (i.e. your running route VPN modifications, etc).
I can send the smc-log but i have to anonymize stuff
Le 21 mars 2018 02:17:27 GMT+01:00, David LePage notifications@github.com a écrit :
I have seen this before - that message would be coming from the SMC API itself. It usually has to do with some sort of invalid input. Is it reproducible with a specific playbook? i.e. if you re-run the same playbook that causes the error, can you send me the smc.log output? Also, is it related to a specific configuration area (i.e. your running route VPN modifications, etc).
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374809653
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
I have this issue when i try to create a lot of elements (>10) And if a task is in error ... scenario still continue (why?)...
Le 21 mars 2018 02:17:27 GMT+01:00, David LePage notifications@github.com a écrit :
I have seen this before - that message would be coming from the SMC API itself. It usually has to do with some sort of invalid input. Is it reproducible with a specific playbook? i.e. if you re-run the same playbook that causes the error, can you send me the smc.log output? Also, is it related to a specific configuration area (i.e. your running route VPN modifications, etc).
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374809653
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
Not sure without seeing the audits. We may have to open a support case on it also. When i've seen this issue occur, it has almost always been due to an issue with the SMC side. If you can send me the task you are running and a snippet of the last payload from smc.log I can try to duplicate on my end.
You know i will update you with a full playbook of bgp runnig config ;)
But anyway i can provide you my playbook for objects created. I have so many firewalls and objects in the smc thats why we have some issue.
My question is regarding the result on SMC ... normally a failed status of a task will stop the full scenario. Maybe something is missing for ansible regarding the task status.
RÉMY POUCHAIN.
Le 21 mars 2018 13:12:06 GMT+01:00, David LePage notifications@github.com a écrit :
Not sure without seeing the audits. We may have to open a support case on it also. When i've seen this issue occur, it has almost always been due to an issue with the SMC side. If you can send me the task you are running and a snippet of the last payload from smc.log I can try to duplicate on my end.
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374916391
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
You are correct, there is an exception handler in every ansible module that would stop the task if an SMC error occurred. It should also print the task status in a msg attribute. If you run with -vvv you will see that message indicated. I can check to see without -vvv what the result looks like. Also, making progress on the new interface schema. Should have that ready soon.
Ok so far so good. I will update you quickly with error log.
Right now I tested ip prefix list (you have already features needed), external peer ok, bgp peering ok, asn ok, route map (a check rule needed to avoid duplicate) ok.
I cant test access list community list and ipv6 cause i have nothing about this in my config.
RÉMY POUCHAIN
Le 21 mars 2018 14:46:40 GMT+01:00, David LePage notifications@github.com a écrit :
You are correct, there is an exception handler in every ansible module that would stop the task if an SMC error occurred. It should also print the task status in a msg attribute. If you run with -vvv you will see that message indicated. I can check to see without -vvv what the result looks like. Also, making progress on the new interface schema. Should have that ready soon.
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374941840
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
ok thanks Remy! I have tested all and now have a solid framework for unittest before I publish these out. I will push bgp_element_facts soon.
And have you any task for monitoring ... validate tunnels works etc etc ;)
Or do a sh ip bgp sum or sh ip route bgp with filter to check redistribute on quagga ...
RÉMY POUCHAIN
Le 22 mars 2018 14:20:55 GMT+01:00, David LePage notifications@github.com a écrit :
ok thanks Remy! I have tested all and now have a solid framework for unittest before I publish these out. I will push bgp_element_facts soon.
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-375303142
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
routing_facts should dump the routing table (same that you see when going into SMC->monitoring->routing). On your SMC does this show the BGP routing details? Here is an example: https://github.com/gabstopper/ansible-stonesoft/blob/master/playbooks/routing_facts.yml
For routing table in BGP not sure because its manage by quagga :(
Routing table will show the static table but anyway i will ask stonesoft if its in api.
Monitoring could be interesting to have a good view about vpn tunnels up or not before starting others checks.
RÉMY POUCHAIN.
Le 22 mars 2018 20:44:10 GMT+01:00, David LePage notifications@github.com a écrit :
routing_facts should dump the routing table (same that you see when going into SMC->monitoring->routing). On your SMC does this show the BGP routing details? Here is an example: https://github.com/gabstopper/ansible-stonesoft/blob/master/playbooks/routing_facts.yml
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-375433330
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
It will show routing entries created by BGP also from Monitoring->Routing but likely not exactly the same level of detail as quagga. I'd have to test. Also, another option (since we're using Ansible) is a library to make the connection directly to the engine and execute the relevant quagga commands if the API doesn't provide what we need. Also, I have a package smc-python-monitoring that does allow you to query the VPN tunnels as shown from Monitoring->VPN SA's. Maybe that would be adequate?
Yes right thats what i do for quagga for peering status and route as well.
Smc monitoring should be a better view yes. Just to check.
RÉMY POUCHAIN
Le 22 mars 2018 23:31:50 GMT+01:00, David LePage notifications@github.com a écrit :
It will show routing entries created by BGP also from Monitoring->Routing but likely not exactly the same level of detail as quagga. I'd have to test. Also, another option (since we're using Ansible) is a library to make the connection directly to the engine and execute the relevant quagga commands if the API doesn't provide what we need. Also, I have a package smc-python-monitoring that does allow you to query the VPN tunnels as shown from Monitoring->VPN SA's. Maybe that would be adequate?
-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-375479034
-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
Hi Remy,
Following up on this one. Do you still need a solution for retrieving routes? Did you see the routing_facts
module? There is an example called routing_facts.yml
that allows you to query the SMC which will pull all routes as you see in SMC under Monitoring->Routing.
Resolved in latest develop branch
"msg": "Missing external BGP Peering elements: [{'msg': 'Cannot find specified element', 'type': 'single_fw,fw_cluster', 'name': 'PEER_NC1_to_Store13'}, {'msg': 'Cannot find specified element', 'type': 'single_fw,fw_cluster', 'name': 'PEER_NC2_to_Store13'}]"
How can i create a new Peer Element ?