Hi @Alex Nemeth,
I just tried the playbook you shared on an old ASA in my lab running 8.2 code and it worked. When I ssh to it I do have to provide the encryption method and cipher or I get the same error you note.
root@7ccc5784353b:/ansible_local# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc cisco@10.1.10.27
Have you tried setting ssh_args in your ansible.cfg file?
[ssh_connection]
ssh_args = -o Cipers=+aes256-cbc
I did not have to do that, I could run the playbook successfully without the ssh_connection section (and with) but I'm trying to account for our different environments.
Here are the paramiko settings in my ansible.cfg file.
[paramiko_connection]
# http://docs.paramiko.org/en/2.4/api/client.html
# look_for_keys (bool) set to False to disable searching for discoverable private key files in ~/.ssh/
look_for_keys = False
# adds keys and saves them when connecting to a previously-unknown server <--Use with Caution!!!
host_key_auto_add = True
# This timer delay per command executed on remote host can be disabled by setting the value to zero
buffer_read_timeout = 2
Here is the playbook I tried:
root@7ccc5784353b:/ansible_local/cisco_ios# cat asa.yml
---
- name: Get_Stats
hosts: asa
gather_facts: false
connection: local
vars:
playbook_name: "Query ASA"
cli:
host: "{{ inventory_hostname }}"
username: "cisco"
password: "cisco"
authorize: yes
auth_pass: "cisco"
tasks:
- name: show_commands
asa_command:
provider: "{{ cli }}"
commands:
- show run
- show memory
register: print_output
- debug: var=print_output.stdout_linesHere is the output:
root@7ccc5784353b:/ansible_local/cisco_ios# ansible-playbook -i hosts asa.yml
PLAY [Get_Stats] ********************************************************************************************************************
TASK [show_commands] ****************************************************************************************************************
ok: [10.1.10.27]
TASK [debug] ************************************************************************************************************************
ok: [10.1.10.27] => {
"print_output.stdout_lines": [
[
": Saved",
":",
"ASA Version 8.2(3) ",
"!",
"hostname ********asa",
"enable password 2KFQ encrypted",
"passwd 2KFQ encrypted",
"names",
"!",
"interface Ethernet0/0",
"!",
"interface Ethernet0/1",
" shutdown",
"!",
"interface Ethernet0/2",
" shutdown",
"!",
"interface Ethernet0/3",
" shutdown",
"!",
"interface Ethernet0/4",
" shutdown",
"!",
"interface Ethernet0/5",
" shutdown",
"!",
"interface Ethernet0/6",
" shutdown",
"!",
"interface Ethernet0/7",
" shutdown",
"!",
"interface Vlan1",
" nameif inside",
" security-level 100",
" ip address dhcp ",
"!",
"ftp mode passive",
"pager lines 24",
"mtu inside 1500",
"icmp unreachable rate-limit 1 burst-size 1",
"no asdm history enable",
"arp timeout 14400",
"timeout xlate 3:00:00",
"timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02",
"timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00",
"timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00",
"timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute",
"timeout tcp-proxy-reassembly 0:01:00",
"dynamic-access-policy-record DfltAccessPolicy",
"aaa authentication ssh console LOCAL ",
"no snmp-server location",
"no snmp-server contact",
"snmp-server enable traps snmp authentication linkup linkdown coldstart",
"crypto ipsec security-association lifetime seconds 28800",
"crypto ipsec security-association lifetime kilobytes 4608000",
"telnet timeout 5",
"ssh 10.0.0.0 255.0.0.0 inside",
"ssh timeout 5",
"ssh version 2",
"console timeout 0",
"",
"threat-detection basic-threat",
"threat-detection statistics access-list",
"no threat-detection statistics tcp-intercept",
"username admin password f3UhLvUj1QsXsuK7 encrypted",
"username ******** password 3USUcOPFUiMCO4Jk encrypted privilege 15",
"!",
"class-map inspection_default",
" match default-inspection-traffic",
"!",
"!",
"policy-map type inspect dns preset_dns_map",
" parameters",
" message-length maximum client auto",
" message-length maximum 512",
"policy-map global_policy",
" class inspection_default",
" inspect dns preset_dns_map ",
" inspect ftp ",
" inspect h323 h225 ",
" inspect h323 ras ",
" inspect ip-options ",
" inspect netbios ",
" inspect rsh ",
" inspect rtsp ",
" inspect skinny ",
" inspect esmtp ",
" inspect sqlnet ",
" inspect sunrpc ",
" inspect tftp ",
" inspect sip ",
" inspect xdmcp ",
"!",
"service-policy global_policy global",
"prompt hostname context ",
"call-home",
" profile CiscoTAC-1",
" no active",
" destination address http https://tools.********.com/its/service/oddce/services/DDCEService",
" destination address email callhome@********.com",
" destination transport-method http",
" subscribe-to-alert-group diagnostic",
" subscribe-to-alert-group environment",
" subscribe-to-alert-group inventory periodic monthly",
" subscribe-to-alert-group configuration periodic monthly",
" subscribe-to-alert-group telemetry periodic daily",
"Cryptochecksum:b0498b77f1b5fafefff5e6c19e",
": end"
],
[
"Free memory: 124301632 bytes (46%)",
"Used memory: 144133824 bytes (54%)",
"------------- ----------------",
"Total memory: 268435456 bytes (100%)"
]
]
}
PLAY RECAP **************************************************************************************************************************
10.1.10.27 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
root@7ccc5784353b:/ansible_local/cisco_ios#
