Developer

Hello

We are trying to automate deploying office IAP locations.

I am trying to do this via Ansible, but I am experiencing some issues connecting to my test IAP via SSH.

SSH itself works perfectly fine, but as soon as I want to initiate some tasks I'm getting socket timeouts. I managed to only find a few articles regarding this issue, but none were about IAP's.

The error I'm getting:

The full traceback is:
Traceback (most recent call last):
File "/usr/bin/ansible-connection", line 70, in start
self.connection._connect()
File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/network_cli.py", line 318, in _connect
newline=self._terminal.terminal_inital_prompt_newline)
File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/network_cli.py", line 393, in receive
data = self._ssh_shell.recv(256)
File "/usr/lib/python2.7/dist-packages/paramiko/channel.py", line 615, in recv
raise socket.timeout()
timeout
fatal: [172.29.23.57]: FAILED! => {
"msg": ""
}
to retry, use: --limit @/etc/ansible/iap_playbook.retry

Does anyone have any experience with configuring IAP's via Ansible and is familiar with this issue?

Hi Janv,

What release of IAP do you are using ?

Because there is now some API on IAP... it will be more easy and better...

Hello Alagoutte

testIAP1# show version
Aruba Operating System Software.
ArubaOS (MODEL: 305), Version 6.5.4.3
Website: http://www.arubanetworks.com
(c) Copyright 2017 Hewlett Packard Enterprise Development LP.
Compiled on 2017-10-19 at 18:44:44 PDT (build 61959) by p4build
FIPS Mode :disabled

AP uptime is 2 days 6 hours 26 minutes 45 seconds
Reboot Time and Cause: AP rebooted caused by cold HW reset(power loss)

We are trying to find a way to either prepare a config file locally on the Ansible host and pushing that config file to the new IAP or by pushing config commands towards the IAP via Ansible.

API is not available with release 6.5 (need to upgrade to 8.5)

But what do you are not using AirWave ?

do you have look with cli_command for ansible ?

Hello Alagoutte

We do have AirWave but we are looking for a different.

We basically are trying to automate some basic tasks done by our support team (set-up vpn's on Cisco ASA's, perform pfsense firewall upgrades, ...) All these have been implemented via Ansible and work fine.

In this case we are hitting a wall with IAP's. I tried the cli_command module, but it results in the same error.

Hi Janv,

Like mentioned earlier, IAP software version 8.5 and above have REST APIs and we have the sample playbooks for the same.

Link to REST API based Ansible Modules and Playbooks

Public Ansible Github Repo :- https://github.com/aruba/aruba-ansible-modules

IAP Sample Playbook :- https://github.com/aruba/aruba-ansible-modules/tree/master/example_playbooks/aruba_instant

In case, you would still like to take the CLI based approach, you could try using aruba_command ansible module and aruba_config ansible module from the ansible galaxy. 

As this module is primarily made for aruba switches and aruba controllers, there might be some minor tweaks required. In order to execute commands with SSH, prompt of the device needs to match a pattern so the program understands that executed command is complete and ready for the next command. That might be one of the reason you get the timeout error. 

For example, I have tried aruba_command ansible module to execute show commands in IAP with this change. 

Change for IAP CLI terminal prompt

- Execute “ansible --version” command and obtain the "ansible python module location".

- Go to “/plugins/terminal” folder and edit the aruba.py file.

- replace the variable "terminal_stdout_re" with the following

    terminal_stdout_re = [
        re.compile(br"[\r
]?[\w]*\(.+\) ?#(?:\s*)$"),
        re.compile(br"[\r
]?[\w]*\(.+\)\s*[\^\*]?(?:\[.+\])? ?#(?:\s*)$"),
        re.compile(br"[pP]assword:$"),
        re.compile(br"(?<=\s)[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?\s*#\s*$"),
        re.compile(br"[\r
]?[\w\+\-\.:\/\[\]]+(?:\([^\)]+\)){0,3}(?:[>#]) ?$"),
        re.compile(br"^([\w\W]*)?#\s*$")
    ]

In case, you would like to try CLI for Aruba Controller, make this fix manually at your ansible installation. (Fix:- AOS8 controller based ansible bug and commit)

Sample Aruba_command IAP playbook (CLI based):

- name:  Sample SSH based IAP playbook 
  hosts: iapmesh
  connection: local
  gather_facts: no
  vars_files:
    - variables.yml
  tasks:
     - name: run show aps command on Instant AP
       aruba_command:
         commands: show aps
         interval: 300
         provider: "{{ provider }}"
       register: aps_output
       ignore_errors: yes

Thanks,

Karthik

Hello Karthik

Thank you for the suggestions.

I decided to drop the CLI approach.

I upgraded my IAP-305 to version 8.5 and decided to go via the REST API approach.

I am running into some issues however.

POST methods are failing when I run them using the arubainstant_config module

msg: API Call failed! Exception during api call, reason: Status

When I check the IAP via the GUI I can see however that the POST method was actually performed, but Ansible is just giving me this failed message and I am not sure why.

my playbook:

- name: Show existing network
hosts: all
connection: local
gather_facts: no
tasks:

- name: Change the hostname of a particular IAP
arubainstant_config:
host: 172.29.23.57
username: admin
password: Admin
method: POST
api_type: action
api_name: hostname
data: { "iap_ip_addr": "172.29.23.57", "hostname_info": {"hostname": "testAnsible2"}}

the IAP is not managed by AirWave ?

Can you enable more verbose when launch playbook ? (add -v parameter)

Hi Janv,

I tried to simulate the scenario on my testbed and I wanted to know the following. Please confirm if you have allowed REST API on your IAP.

In order to access APIs on IAP (8.5 onwards), one needs to allow REST APIs through the CLI. The configuration on IAP is as follows:

IAP# config terminal
IAP# allow-rest-api
IAP# end
IAP# commit apply

After you have allowed APIs, try to rerun the playbook and let me know if it works for you or if you see the same error.

Thanks,

Jay