panos_loadcfg: Unable to commit the config on Pan OS Device

[Udayendu]

Describe the bug

Even if panos_import module able to import the config successfully, panos_loadcfg is unable to load it correctly.

Expected behavior

It should be able to load as expected.

Current behavior

If loading one by one its working. But if trying to configure 4 to 5 firewall one by one through script/ansible, its breaking and not able to commit the configs correctly.

Possible solution

No resolution.

Steps to reproduce

100% reproducible in my environment. I am deploying these OVAs on the VMware platform.

1. Deploy the a provision server with private network in 192.168.1.X subnet with 192.168.1.2
2. Deploy the firewall OVA in the same subnet. It will pick 192.168.1.1 IP
3. From provision server copy the config using panos_import and apply the config using panos_loadcfg
4. Then change the interface to the correct one for the management IP
5. If deploying these play books one by one manually its working.

Playbooks:

# cat 01_firewall-config.yml
---
- name: Firewall Configuration
  hosts: localhost
  connection: local
  gather_facts: false
  vars_files:
    - 01_PrimaryDC_Mgmt_FWA.yml

  collections:
    - paloaltonetworks.panos

  tasks:
    - name: Import configuration file into FW
      panos_import:
        ip_address: '{{ ip_address }}'
        username: '{{ username }}'
        password: '{{ password }}'
        file: '{{ config_file }}'
        category: 'configuration'
      register: result

    - name: Load the configuration file to FW
      panos_loadcfg:
        ip_address: '{{ ip_address }}'
        username: '{{ username }}'
        password: '{{ password }}'
        file: '{{ result.filename }}'
        commit: True

Error Message:

PLAY [Firewall Configuration] *******************************************************************************************************************************************************************************************************************************************************************************************

TASK [Import configuration file into FW] ********************************************************************************************************************************************************************************************************************************************************************************
changed: [localhost]

TASK [Load the configuration file to FW] ********************************************************************************************************************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: pan.xapi.PanXapiError: Commit job was not queued since auto-commit not yet finished successfully. Please use "commit force" to schedule commit job
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/root/.ansible/tmp/ansible-tmp-1585567312.7959883-164436344259963/AnsiballZ_panos_loadcfg.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/root/.ansible/tmp/ansible-tmp-1585567312.7959883-164436344259963/AnsiballZ_panos_loadcfg.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/root/.ansible/tmp/ansible-tmp-1585567312.7959883-164436344259963/AnsiballZ_panos_loadcfg.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.paloaltonetworks.panos.plugins.modules.panos_loadcfg', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_panos_loadcfg_payload_tc554zho/ansible_panos_loadcfg_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_loadcfg.py\", line 130, in <module>\n  File \"/tmp/ansible_panos_loadcfg_payload_tc554zho/ansible_panos_loadcfg_payload.zip/ansible_collections/paloaltonetworks/panos/plugins/modules/panos_loadcfg.py\", line 124, in main\n  File \"/usr/local/lib/python3.6/dist-packages/pan/xapi.py\", line 902, in commit\n    raise PanXapiError(self.status_detail)\npan.xapi.PanXapiError: Commit job was not queued since auto-commit not yet finished successfully. Please use \"commit force\" to schedule commit job\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP **************************************************************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Context

For every DC we deploy 4 Palo Alto firewalls. 2 Mgmt and 2 for customers.
And in one go we do such deployment in 2 DCs in primary and secondary mode.
But lack of automation capability in Palo Alto is a huge drawback. Have to re think about this product.

Your Environment

ansible 2.9.6 and Pan OS 8.5

[shinmog]

Seems like #18 needs to be resolved first before this can be addressed, but otherwise it seems like a commit is already happening and this is trying to do another commit, which PAN-OS is not allowing..?

[mrichardson03]

Is this still an issue? Commits failing before the autocommit completes is expected.