Ansible ASA Incompatible ssh peer (no acceptable kex algorithm)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2020 09:37 AM - edited 03-25-2020 10:11 AM
I am trying to run this playbook(see below) to get some show commands off of our ASA systems. We googled and search Stackoverflow and tried all the recommendations but no success. I run a raw command "ansible ASA -m -a "show vpn-session detail" -u rancid -k" it just hangs and I have to ctrl-c. We tried every possible upgrade to ansible, python, paramiko and no luck. We added cipher, kex ect to the sshd_config and no luck, I switched the connection: from local to network_cli and we cannot get this to run. IOS based stuff works fine with playbooks and raw mode.
[root@ohsyslog1 ~]# ansible-playbook asa-stats-vpn-rev1.yml -u anemeth -k
SSH password:
PLAY [Get_Stats] *************************************************************************************************************************
TASK [show_commands] *********************************************************************************************************************
fatal: [USCRL-AC1]: FAILED! => {"msg": "Incompatible ssh peer (no acceptable kex algorithm)"}
to retry, use: --limit @/root/asa-stats-vpn-rev1.retry
PLAY RECAP *******************************************************************************************************************************
USCRL-AC1 : ok=0 changed=0 unreachable=0 failed=1
[root@ohsyslog1 ~]# cat asa-stats-vpn-rev1.yml
---
- name: Get_Stats
hosts: USCRL-AC1
gather_facts: false
connection: local
tasks:
- name: show_commands
asa_command:
commands:
- show sh vpn-sessiondb detailed
- show cpu detail
- show memory
- show interface outside
register: print_output
- debug: var=print_output.stdout_lines
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2020 02:56 PM
Hi @Alex Nemeth,
I just tried the playbook you shared on an old ASA in my lab running 8.2 code and it worked. When I ssh to it I do have to provide the encryption method and cipher or I get the same error you note.
root@7ccc5784353b:/ansible_local# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c aes256-cbc cisco@10.1.10.27
Have you tried setting ssh_args in your ansible.cfg file?
[ssh_connection] ssh_args = -o Cipers=+aes256-cbc
I did not have to do that, I could run the playbook successfully without the ssh_connection section (and with) but I'm trying to account for our different environments.
Here are the paramiko settings in my ansible.cfg file.
[paramiko_connection] # http://docs.paramiko.org/en/2.4/api/client.html # look_for_keys (bool) set to False to disable searching for discoverable private key files in ~/.ssh/ look_for_keys = False # adds keys and saves them when connecting to a previously-unknown server <--Use with Caution!!! host_key_auto_add = True # This timer delay per command executed on remote host can be disabled by setting the value to zero buffer_read_timeout = 2
Here is the playbook I tried:
root@7ccc5784353b:/ansible_local/cisco_ios# cat asa.yml
---
- name: Get_Stats
hosts: asa
gather_facts: false
connection: local
vars:
playbook_name: "Query ASA"
cli:
host: "{{ inventory_hostname }}"
username: "cisco"
password: "cisco"
authorize: yes
auth_pass: "cisco"
tasks:
- name: show_commands
asa_command:
provider: "{{ cli }}"
commands:
- show run
- show memory
register: print_output
- debug: var=print_output.stdout_linesHere is the output:
root@7ccc5784353b:/ansible_local/cisco_ios# ansible-playbook -i hosts asa.yml
PLAY [Get_Stats] ********************************************************************************************************************
TASK [show_commands] ****************************************************************************************************************
ok: [10.1.10.27]
TASK [debug] ************************************************************************************************************************
ok: [10.1.10.27] => {
"print_output.stdout_lines": [
[
": Saved",
":",
"ASA Version 8.2(3) ",
"!",
"hostname ********asa",
"enable password 2KFQ encrypted",
"passwd 2KFQ encrypted",
"names",
"!",
"interface Ethernet0/0",
"!",
"interface Ethernet0/1",
" shutdown",
"!",
"interface Ethernet0/2",
" shutdown",
"!",
"interface Ethernet0/3",
" shutdown",
"!",
"interface Ethernet0/4",
" shutdown",
"!",
"interface Ethernet0/5",
" shutdown",
"!",
"interface Ethernet0/6",
" shutdown",
"!",
"interface Ethernet0/7",
" shutdown",
"!",
"interface Vlan1",
" nameif inside",
" security-level 100",
" ip address dhcp ",
"!",
"ftp mode passive",
"pager lines 24",
"mtu inside 1500",
"icmp unreachable rate-limit 1 burst-size 1",
"no asdm history enable",
"arp timeout 14400",
"timeout xlate 3:00:00",
"timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02",
"timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00",
"timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00",
"timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute",
"timeout tcp-proxy-reassembly 0:01:00",
"dynamic-access-policy-record DfltAccessPolicy",
"aaa authentication ssh console LOCAL ",
"no snmp-server location",
"no snmp-server contact",
"snmp-server enable traps snmp authentication linkup linkdown coldstart",
"crypto ipsec security-association lifetime seconds 28800",
"crypto ipsec security-association lifetime kilobytes 4608000",
"telnet timeout 5",
"ssh 10.0.0.0 255.0.0.0 inside",
"ssh timeout 5",
"ssh version 2",
"console timeout 0",
"",
"threat-detection basic-threat",
"threat-detection statistics access-list",
"no threat-detection statistics tcp-intercept",
"username admin password f3UhLvUj1QsXsuK7 encrypted",
"username ******** password 3USUcOPFUiMCO4Jk encrypted privilege 15",
"!",
"class-map inspection_default",
" match default-inspection-traffic",
"!",
"!",
"policy-map type inspect dns preset_dns_map",
" parameters",
" message-length maximum client auto",
" message-length maximum 512",
"policy-map global_policy",
" class inspection_default",
" inspect dns preset_dns_map ",
" inspect ftp ",
" inspect h323 h225 ",
" inspect h323 ras ",
" inspect ip-options ",
" inspect netbios ",
" inspect rsh ",
" inspect rtsp ",
" inspect skinny ",
" inspect esmtp ",
" inspect sqlnet ",
" inspect sunrpc ",
" inspect tftp ",
" inspect sip ",
" inspect xdmcp ",
"!",
"service-policy global_policy global",
"prompt hostname context ",
"call-home",
" profile CiscoTAC-1",
" no active",
" destination address http https://tools.********.com/its/service/oddce/services/DDCEService",
" destination address email callhome@********.com",
" destination transport-method http",
" subscribe-to-alert-group diagnostic",
" subscribe-to-alert-group environment",
" subscribe-to-alert-group inventory periodic monthly",
" subscribe-to-alert-group configuration periodic monthly",
" subscribe-to-alert-group telemetry periodic daily",
"Cryptochecksum:b0498b77f1b5fafefff5e6c19e",
": end"
],
[
"Free memory: 124301632 bytes (46%)",
"Used memory: 144133824 bytes (54%)",
"------------- ----------------",
"Total memory: 268435456 bytes (100%)"
]
]
}
PLAY RECAP **************************************************************************************************************************
10.1.10.27 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
root@7ccc5784353b:/ansible_local/cisco_ios#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-23-2020 05:26 PM - edited 06-23-2020 05:29 PM
Thank you, it has been awhile since I was able to resume ansible. Let me try your parameters and I will post the results shortly when I get a free moment. The ASAs I am trying to connect to are 5545-X running 9.12(2) code.
