DHCP interface IP address must be empty error when creating L3 subinterface-paloaltonetworks.panos 2.13.3
rlison47 opened this issue · 14 comments
Describe the bug
There's a DHCP Error in configure L3 subinterface a ' dhcp-client constraints failed : DHCP interface IP address must be empty\n ae2.869 -> dhcp-client is invalid"} after setting enabled DHCP to false and a static IP
Expected behavior
An L3 subinterface will be created with a static IP below is my ansible script
- name: 'ae2.869'
tag: '869'
template: 'DIF_GEN_7080'
gathered_filter: '*'
enable_dhcp: false
vsys: 'DIF_GEN_PRD_BASTION'
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_IN_1'
ip: ["10.164.241.6/29"]
management_profile: 'INT_MGMT_PING'
Current behavior
Instead of creating l3 subinterface with a static ip a dhcp error is prompted ' dhcp-client constraints failed : DHCP interface IP address must be empty\n ae2.869 -> dhcp-client is invalid"}
Context
Need help on the fix as we need this ansible automation for our Panorama FW automation Project in our company
Your Environment
Collection Version
ansible [core 2.14.4]
ansible.netcommon 5.1.0
ansible.posix 1.5.2
ansible.utils 2.9.0
ansible.windows 1.13.0
python version = 3.10.6
paloaltonetworks.panos 2.13.3
🎉 Thanks for opening your first issue here! Welcome to the community!
Hello, any help would be appreciated. Has anyone here experienced the issue regarding the panos_l3_subinterface_module?
Hi @rlison47, I was able to use your code sample successfully. Here is my code which creates the dependencies, then creates the L3 subinterface:
---
- name: Palo Alto Networks Playbook
hosts: '{{ target | default("host_gcprama") }}'
connection: local
vars:
device:
ip_address: "{{ ip_address }}"
username: "{{ username | default(omit) }}"
password: "{{ password | default(omit) }}"
api_key: "{{ api_key | default(omit) }}"
tasks:
- name: Create template
paloaltonetworks.panos.panos_config_element:
provider: "{{ device }}"
xpath: "/config/devices/entry[@name='localhost.localdomain']/template"
element: "<entry name='DIF_GEN_7080'/>"
- name: Create zone
paloaltonetworks.panos.panos_zone:
provider: '{{ device }}'
zone: 'BTSTN_IN_1'
mode: 'layer3'
vsys: "DIF_GEN_PRD_BASTION"
template: "DIF_GEN_7080"
- name: Create virtual router
paloaltonetworks.panos.panos_virtual_router:
provider: "{{ device }}"
name: "BSTN_PRD_1"
vsys: "DIF_GEN_PRD_BASTION"
template: "DIF_GEN_7080"
- name: Create aggregate interface
paloaltonetworks.panos.panos_aggregate_interface:
provider: "{{ device }}"
template: "DIF_GEN_7080"
vsys: "DIF_GEN_PRD_BASTION"
if_name: ae2
zone_name: BTSTN_IN_1
- name: Crate interface_mgmt_profile
paloaltonetworks.panos.panos_management_profile:
provider: '{{ device }}'
name: 'INT_MGMT_PING'
ping: true
template: "DIF_GEN_7080"
- name: Test
paloaltonetworks.panos.panos_l3_subinterface:
provider: '{{ device }}'
name: 'ae2.869'
tag: '869'
template: 'DIF_GEN_7080'
gathered_filter: '*'
enable_dhcp: false
vsys: 'DIF_GEN_PRD_BASTION'
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_IN_1'
ip: ["10.164.241.6/29"]
management_profile: 'INT_MGMT_PING'
Note that the template, zone, virtual router, aggregate interface, interface management profile and L3 subinterface did not exist before executing this playbook.
I am using:
paloaltonetworks.panos 2.17.6
pan-os-python 1.11.0
pan-python 0.17.0
Panorama 10.2.4
Note that the gathered_filter: '*' line is superfluous and can be removed, because gathered_filter is only evaluated if state is set to gathered.
I see you are using version 2.13.3 of the collection, maybe try updating to a recent version and try testing again.
Please reopen this issue is you are still facing issues.
Hello @jamesholland-uk Thank you so much really appreciate your help. I will try to update the panos version and will let you know on the result.
@jamesholland-uk Hello hope you are doing great how can I re open this issue? I tried to upgrade the paloaltonetworks.panos to 2.17.6 but still getting the same error "ae2.869 -> dhcp-client constraints failed : DHCP interface IP address must be empty\n ae2.869 -> dhcp-client is invalid"
Can you let us know which version of Panorama PAN-OS you are using please? I was testing with 10.2.4 above.
Can you let us know which version of Panorama PAN-OS you are using please? I was testing with 10.2.4 above.
@jamesholland-uk this is our PAN-OS version 10.1.9-h3
It worked for me on 10.1.9-h3.
Can you share the full task definition please? At the moment I can't replicate the error so I can't suggest a fix or solution.
Have you tried forcefully reinstalling the collection again maybe: ansible-galaxy collection install paloaltonetworks.panos:==2.17.6 --force
@jamesholland-uk it seems my enable_dhcp: false is commented out will try to uncomment this and let you know the result
Configure interfaces
interfaces:
- name: 'ae2.869'
tag: '869'
template: 'DIF_GEN_7080'
# if_name: 'Ethernet_1'
gathered_filter: '*'
# enable_dhcp: false
vsys: 'DIF_GEN_PRD_BASTION'
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_IN_1'
ip: ["10.164.241.6/29"]
# ip: '10.164.241.6/29'
@jamesholland-uk I tried to uncomment the enable_dhcp: false still same result. May I know if below is the the full task you are looking for?
Configure zones
zones:
- zone: 'BTSTN_IN_1'
gathered_filter: '*'
vsys: 'DIF_GEN_PRD_BASTION'
log_setting: 'None'
type: 'Layer3'
template: 'DIF_GEN_7080'
zone_profile: 'Zone Protection Profile 1'
# packet_buffer_protection: 'Enabled'
- zone: 'BTSTN_INET_1'
gathered_filter: '*'
vsys: 'DIF_GEN_PRD_BASTION'
log_setting: 'None'
type: 'Layer3'
template: 'DIF_GEN_7080'
zone_profile: 'Zone Protection Profile 1'
# packet_buffer_protection: 'Enabled'
- zone: 'BTSTN_INTRA_1'
gathered_filter: '*'
vsys: 'DIF_GEN_PRD_BASTION'
log_setting: 'None'
type: 'Layer3'
template: 'DIF_GEN_7080'
zone_profile: 'Zone Protection Profile 1'
# packet_buffer_protection: 'Enabled'
Configure Virtual Router
virtual_router:
- name: 'BSTN_PRD_1'
template: 'DIF_GEN_7080'
gathered_filter: '*'
Configure interfaces
interfaces:
- name: 'ae2.869'
tag: '869'
template: 'DIF_GEN_7080'
# if_name: 'Ethernet_1'
gathered_filter: '*'
enable_dhcp: false
vsys: 'DIF_GEN_PRD_BASTION'
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_IN_1'
ip: ["10.164.241.6/29"]
# ip: '10.164.241.6/29'
management_profile: 'INT_MGMT_PING'
- name: 'ae2.870'
tag: '870'
template: 'DIF_GEN_7080'
# if_name: 'Ethernet_2'
gathered_filter: '*'
enable_dhcp: false
vsys: 'DIF_GEN_PRD_BASTION'
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_INTRA_1'
ip: ["10.164.241.14/29"]
# ip: '10.164.241.14/29'
management_profile: 'INT_MGMT_PING'
- name: 'ae2.871'
tag: '871'
template: 'DIF_GEN_7080'
# if_name: 'Ethernet_3'
vsys: 'DIF_GEN_PRD_BASTION'
gathered_filter: '*'
enable_dhcp: false
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_INET_1'
ip: ["10.164.241.22/29"]
# ip: '10.164.241.22/29'
management_profile: 'INT_MGMT_PING'
$ ansible --version
ansible [core 2.15.6]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.11/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.11.6 (main, Oct 4 2023, 06:22:18) [GCC 12.2.1 20220924] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
$ ansible-galaxy collection list
/root/.ansible/collections/ansible_collections
Collection Version
community.general 8.0.2
paloaltonetworks.panos 2.17.6
$ ansible-playbook --extra-vars "$PANORAMA_CREDS" FW_Definition/main.yml
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
PLAY [Firewall Definition] *****************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [ansible-firewall-manage-zones : Configure zones] *************************
changed: [localhost] => (item={'zone': 'BTSTN_IN_1', 'gathered_filter': '', 'vsys': 'DIF_GEN_PRD_BASTION', 'log_setting': 'None', 'type': 'Layer3', 'template': 'DIF_GEN_7080', 'zone_profile': 'Zone Protection Profile 1'})
changed: [localhost] => (item={'zone': 'BTSTN_INET_1', 'gathered_filter': '', 'vsys': 'DIF_GEN_PRD_BASTION', 'log_setting': 'None', 'type': 'Layer3', 'template': 'DIF_GEN_7080', 'zone_profile': 'Zone Protection Profile 1'})
changed: [localhost] => (item={'zone': 'BTSTN_INTRA_1', 'gathered_filter': '', 'vsys': 'DIF_GEN_PRD_BASTION', 'log_setting': 'None', 'type': 'Layer3', 'template': 'DIF_GEN_7080', 'zone_profile': 'Zone Protection Profile 1'})
TASK [ansible-firewall-manage-virtual-router : Configure virtual router] *******
changed: [localhost] => (item={'name': 'BSTN_PRD_1', 'template': 'DIF_GEN_7080', 'gathered_filter': ''})
TASK [ansible-firewall-manage-interface : Configure interfaces] ****************
failed: [localhost] (item={'name': 'ae2.869', 'tag': '869', 'template': 'DIF_GEN_7080', 'gathered_filter': '', 'enable_dhcp': False, 'vsys': 'DIF_GEN_PRD_BASTION', 'vr_name': 'BSTN_PRD_1', 'zone_name': 'BTSTN_IN_1', 'ip': ['10.164.241.6/29'], 'management_profile': 'INT_MGMT_PING'}) => {"ansible_loop_var": "item", "changed": false, "item": {"enable_dhcp": false, "gathered_filter": "", "ip": ["10.164.241.6/29"], "management_profile": "INT_MGMT_PING", "name": "ae2.869", "tag": "869", "template": "DIF_GEN_7080", "vr_name": "BSTN_PRD_1", "vsys": "DIF_GEN_PRD_BASTION", "zone_name": "BTSTN_IN_1"}, "msg": "Failed create: ae2.869 -> dhcp-client constraints failed : DHCP interface IP address must be empty\n ae2.869 -> dhcp-client is invalid"}
failed: [localhost] (item={'name': 'ae2.870', 'tag': '870', 'template': 'DIF_GEN_7080', 'gathered_filter': '', 'enable_dhcp': False, 'vsys': 'DIF_GEN_PRD_BASTION', 'vr_name': 'BSTN_PRD_1', 'zone_name': 'BTSTN_INTRA_1', 'ip': ['10.164.241.14/29'], 'management_profile': 'INT_MGMT_PING'}) => {"ansible_loop_var": "item", "changed": false, "item": {"enable_dhcp": false, "gathered_filter": "", "ip": ["10.164.241.14/29"], "management_profile": "INT_MGMT_PING", "name": "ae2.870", "tag": "870", "template": "DIF_GEN_7080", "vr_name": "BSTN_PRD_1", "vsys": "DIF_GEN_PRD_BASTION", "zone_name": "BTSTN_INTRA_1"}, "msg": "Failed create: ae2.870 -> dhcp-client constraints failed : DHCP interface IP address must be empty\n ae2.870 -> dhcp-client is invalid"}
failed: [localhost] (item={'name': 'ae2.871', 'tag': '871', 'template': 'DIF_GEN_7080', 'vsys': 'DIF_GEN_PRD_BASTION', 'gathered_filter': '', 'enable_dhcp': False, 'vr_name': 'BSTN_PRD_1', 'zone_name': 'BTSTN_INET_1', 'ip': ['10.164.241.22/29'], 'management_profile': 'INT_MGMT_PING'}) => {"ansible_loop_var": "item", "changed": false, "item": {"enable_dhcp": false, "gathered_filter": "", "ip": ["10.164.241.22/29"], "management_profile": "INT_MGMT_PING", "name": "ae2.871", "tag": "871", "template": "DIF_GEN_7080", "vr_name": "BSTN_PRD_1", "vsys": "DIF_GEN_PRD_BASTION", "zone_name": "BTSTN_INET_1"}, "msg": "Failed create: ae2.871 -> dhcp-client constraints failed : DHCP interface IP address must be empty\n ae2.871 -> dhcp-client is invalid"}
PLAY RECAP *********************************************************************
localhost : ok=3 changed=2 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1
from task main.yml
---
- name: Configure interfaces
paloaltonetworks.panos.panos_l3_subinterface:
provider: '{{ device }}'
name: '{{ item.name }}'
tag: '{{ item.tag }}'
vsys: '{{ item.vsys }}'
template: '{{item.template}}'
gathered_filter: "{{ item.gathered_filter }}"
vr_name: '{{ item.vr_name }}'
zone_name: '{{ item.zone_name }}'
ip: '{{ item.ip }}'
management_profile: '{{ item.management_profile }}'
state: "{{ item.state | default('present') }}"
with_items: '{{ interfaces }}'
getting the data from vars.yml
interfaces:
- name: 'ae2.869'
tag: '869'
template: 'DIF_GEN_7080'
gathered_filter: '*'
enable_dhcp: false
vsys: 'DIF_GEN_PRD_BASTION'
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_IN_1'
ip: ["10.164.241.6/29"]
management_profile: 'INT_MGMT_PING'
- name: 'ae2.870'
tag: '870'
template: 'DIF_GEN_7080'
gathered_filter: '*'
enable_dhcp: false
vsys: 'DIF_GEN_PRD_BASTION'
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_INTRA_1'
ip : ["10.164.241.14/29"]
management_profile: 'INT_MGMT_PING'
- name: 'ae2.871'
tag: '871'
template: 'DIF_GEN_7080'
vsys: 'DIF_GEN_PRD_BASTION'
gathered_filter: '*'
enable_dhcp: false
vr_name: 'BSTN_PRD_1'
zone_name: 'BTSTN_INET_1'
ip: ["10.164.241.22/29"]
management_profile: 'INT_MGMT_PING' ``
Hi @rlison47, in this section (#497 (comment)) you have enable_dhcp: false in each of the interfaces in the vars, but you're not passing that into your
name: Configure interfaces
paloaltonetworks.panos.panos_l3_subinterface:
task. You could need to add a parameter to that task that looks something like enable_dhcp: '{{item.enable_dhcp}}'
Also FWIW, the gathered_filter parameter is not needed for tasks when you are applying configuration> This parameter is used when state: gathered, but here there is an implicit state: present (which is the default for state and is correct for tasks making config changes).
Hello @jamesholland-uk I am happy to announce that the issue was already resolved :) Thank you so much for all the help and assistance. I really appreciate it. The updating of panos version and passing enable_dhcp parameters did resolved the issue again thank you so much for the help.