PaloAltoNetworks/pan-os-ansible

panos ipsec proxyid parameter number_proto not optional

siddha1980 opened this issue · 2 comments

siddha1980 commented

Describe the bug

In the module "paloaltonetworks.panos.panos_ipsec_ipv4_proxyid" the parameter "number_proto" is required only when "any_protocol" is of value "true" which is the default value. However this modules expects "number_proto" to be configured irrespective of "any_protocol" being hard set either as "true" or "false".

When running the playbook with this module, get an error message as below

"An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: No param "number_proto" exists"

Expected behavior

It should not expect "number_proto" parameter unless the value of "any_protocol" is "false"

Current behavior

The exception error message is shown for the scenarios below
"An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: No param "number_proto" exists"

  • "any_protocol" when not configured, takes the value "true" by default.
  • "any_protocol" is hard configured with the value as "true"
  • "any_protocol" configured as "false" and "number_proto" configured with either 6 (tcp) or 17 (udp)

Possible solution

Should not expect any value for "number_proto" when "any_protocol" is configured or left by default for the value "true"

Steps to reproduce

Sameple playbook to configure proxy id for a IPSEC vpn tunnel
1.
- name: Proxy-ID for Interesting Traffic1 for ipsec vpn
panos_ipsec_ipv4_proxyid:
provider: '{{ provider }}'
name: 'int_traffic1'
tunnel_name: 'IPSEC_TUNNEL'
local: 'x.x.x.x/y'
remote: 'x.x.x.x/y'

    • name: Proxy-ID for Interesting Traffic1 for ipsec vpn
      panos_ipsec_ipv4_proxyid:
      provider: '{{ provider }}'
      name: 'int_traffic1'
      tunnel_name: 'IPSEC_TUNNEL'
      local: 'x.x.x.x/y'
      remote: 'x.x.x.x/y'
      any_protocol: false
      number_proto: 17

Screenshots

Refer to the sample config provided above.

Context

Could not include all configuration related to a IPSEC VPN tunnel using its dedicated module. At present the proxy-id related segment is configured using the "panos_config_element:" module.

Your Environment

  • Collection:
  • Python: 3.9.12
  • Ansible: 2.13.5
  • PAN-OS Python Library & version (e.g. pandevice 0.14.0, pan-os-python 1.0.2):
    ansible==6.5.0
    ansible-core==2.13.5
    cffi==1.15.1
    cryptography==38.0.1
    Jinja2==3.1.2
    MarkupSafe==2.1.1
    packaging==21.3
    pan-os-python==1.7.3
    pan-python==0.17.0
    pycparser==2.21
    pyparsing==3.0.9
    PyYAML==6.0
    resolvelib==0.8.1

Collection Version

ansible.netcommon 3.1.1
ansible.utils 2.6.1
cisco.ios 3.3.2
cisco.nxos 4.1.0
paloaltonetworks.panos 3.0.0

welcome-to-palo-alto-networks commented

🎉 Thanks for opening your first issue here! Welcome to the community!

jamesholland-uk commented

Hi @siddha1980, I believe this is fixed. The following playbook with your code works on 2.17.6, and was fixed in 2.13.1 I believe:

  tasks:
    - name: Proxy-ID for Interesting Traffic1 for ipsec vpn
      paloaltonetworks.panos.panos_ipsec_ipv4_proxyid:
        provider: '{{ device }}'
        name: 'int_traffic1'
        tunnel_name: 'IPSEC_TUNNEL'
        local: '1.1.1.1/24'
        remote: '2.2.2.2/24'

    - name: Proxy-ID for Interesting Traffic2 for ipsec vpn
      paloaltonetworks.panos.panos_ipsec_ipv4_proxyid:
        provider: '{{ device }}'
        name: 'int_traffic2'
        tunnel_name: 'IPSEC_TUNNEL'
        local: '1.1.1.1/24'
        remote: '2.2.2.2/24'
        any_protocol: false
        number_proto: 17

Please try a recent version (note 3.0.0 was an erroneous release) and if the problem persists, please reopen this issue