cisco.asa.asa_command module not working with backup command

[iamgini]

SUMMARY

Since the cisco.asa.asa_config module backup is downloading the backup to localmachine, we are using the cisco.asa.asa_command module and run arbitrary commands to take the backup directly to the TFTP server as follows.

- name: Take Cisco ASA Backup
  cisco.asa.asa_command:
    commands:
      - copy /noconfirm running-config tftp://{{ tftp_server }}/{{ backup_filename }}
  register: tftp_copy_status

But the command fails with below message

 "msg": "/noconfirm running-config tftp://10.1.10.10/ASA-DEMO$\\r\\n\\r\\n/noconfirm running-config tftp://10.1.10.10/ASA-DEMO0817-150814.cfg\\r\\n^\\r\\nERROR: % Invalid input detected at '^' marker.\\r\\n\\rASA-DEMO> "
}

ISSUE TYPE

• Bug Report

COMPONENT NAME

asa_command

ANSIBLE VERSION

ansible-playbook [core 2.12.1]
  config file = /runner/project/ansible.cfg
  configured module search path = ['/home/runner/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  ansible collection location = /runner/requirements_collections:/runner/project/collections:/home/runner/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.8.8 (default, Aug 11 2021, 06:52:42) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 2.10.3
  libyaml = True
Using /runner/project/ansible.cfg as config file

COLLECTION VERSION

$  ansible-galaxy collection list |grep asa
cisco.asa              3.0.0  

CONFIGURATION

NA

OS / ENVIRONMENT

Ansible:
Red Hat Enterprise Linux 8.5.0-3
(Ansible execution environment container image; also tested on different machine with Python virtual environment)

Cisco ASA:

Cisco Adaptive Security Appliance Software Version 9.9(2)27
Firepower Extensible Operating System Version 2.3(1.117)
Device Manager Version 7.6(1)
Compiled on Thu 11-Oct-18 20:12 PDT by builders
System image file is "disk0:/asa992-<retracted>"
Config file at boot was "startup-config"
ASA-DEMO up 22 days 7 hours
Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash <retracted>
Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1
<retracted>
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual
This platform has a Base license.
Serial Number: <retracted>
Running Permanent Activation Key: <retracted>
Configuration register is 0x1
Image type                : Release
Key Version               : A
Configuration last modified by <retracted>

STEPS TO REPRODUCE

Execute the following playbook on one or more Cisco ASA device.

- name: Take Cisco ASA Backup
  cisco.asa.asa_command:
    commands:
      - copy /noconfirm running-config tftp://{{ tftp_server }}/{{ backup_filename }}
  register: tftp_copy_status

• name: Take Cisco ASA Backup
  cisco.asa.asa_command:
  commands:
  - copy /noconfirm running-config tftp://{{ tftp_server }}/{{ backup_filename }}
  register: tftp_copy_status

EXPECTED RESULTS

The command executes successfully and the backup file transfer to the TFTP server.

ACTUAL RESULTS

Task fails with following error message

The full traceback is:
  File "/runner/project/collections/ansible_collections/cisco/asa/plugins/module_utils/network/asa/asa.py", line 147, in run_commands
    return connection.run_commands(commands=commands, check_rc=check_rc)
  File "/usr/lib/python3.8/site-packages/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [ASA-DEMO]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "authorize": null,
            "commands": [
                "copy /noconfirm running-config tftp://10.1.10.10/ASA-DEMO-20220817-151253.cfg"
            ],
            "context": null,
            "interval": 1,
            "match": "all",
            "passwords": null,
            "provider": null,
            "retries": 10,
            "wait_for": null
        }
    },
   "msg": "/noconfirm running-config tftp://10.1.10.10/ASA-DEMO$\\r\\n\\r\\n/noconfirm running-config tftp://10.1.10.10/ASA-DEMO0817-150814.cfg\\r\\n^\\r\\nERROR: % Invalid input detected at '^' marker.\\r\\n\\rASA-DEMO> "
}
 

[justjais]

@ginigangadharan Thanks for raising the issue, I wanted to check if you're able to achieve the expected outcome from the cmd: copy /noconfirm running-config tftp://10.1.10.10/ASA-DEMO-20220817-151253.cfg when directly fired through Cisco ASA config, as invalid input is the error received from the ASA config.

[iamgini]

Hi @justjais
Yes, I am able to run the same command from the switch console manually without any issue and the command will complete successfully.

[justjais]

@ginigangadharan Thanks for the quick response, I'll triage the issue and update asap

[iamgini]

Thank you @justjais
I am trying from my side as well but couldnt find the issue.

I will wait for your update.

[iamgini]

Hi @justjais,
Just checking if you find any good news on this.

Thank you :D

[justjais]

@ginigangadharan please excuse me for the delayed response, the entire team was involved in Ansiblefest which got concluded recently. I'll triage the issue and update you ASAP.

[iamgini]

@justjais thank you so much.
Hope you had great experience there in AnsibleFest :)

[justjais]

@ginigangadharan I've verified the issue from my end but I am unable to reproduce the said error, please find my config below:
Play:

---
- name: CISCO ASA tasks
  hosts: asa
  collections:
    - cisco.asa
  gather_facts: false
  vars:
    tftp_server: 10.1.10.10
    backup_filename: ASA-backup-test
  tasks:
    - name: Take Cisco ASA Backup
      tags: asa_177
      cisco.asa.asa_command:
        commands:
          - "copy /noconfirm running-config tftp://{{ tftp_server }}/{{ backup_filename }}"
      register: tftp_copy_status

Inventory:

[asa:vars]
ansible_ssh_host=44.242.148.15
ansible_user=admin
ansible_become=true
ansible_become_method=ansible.netcommon.enable
ansible_become_pass=admin
ansible_connection=network_cli
ansible_network_os=asa
ansible_python_interpreter=python

Ansible version:

ansible-playbook [core 2.13.5]
  config file = ./ansible.cfg
  configured module search path = ['.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible
  ansible collection location = /Users/sjaiswal/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.9.13 (main, May 24 2022, 21:28:44) [Clang 13.0.0 (clang-1300.0.29.30)]
  jinja version = 3.0.1
  libyaml = True

Play run:

ok: [44.242.148.15] => changed=false
  invocation:
    module_args:
      authorize: null
      commands:
      - copy /noconfirm running-config tftp://10.1.10.10/ASA-backup-test
      context: null
      interval: 1
      match: all
      passwords: null
      provider: null
      retries: 10
      wait_for: null
  stdout:
  - |-
    Cryptochecksum: 5646dd91 76be5088 1b625b61 bdc47e3b

    %Error writing tftp://10.1.10.10/ASA-backup-test (Timed out attempting to connect)
  stdout_lines: <omitted>
META: ran handlers
META: ran handlers

PLAY RECAP ***********************************************************************************************************************************************************************
44.242.148.15              : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Cisco ASA detail:

Cisco Adaptive Security Appliance Software Version 9.18(1)
SSP Operating System Version 2.12(0.31)
Device Manager Version 7.18(1)

Can you run the play appending -vvvv with play run to get the detailed verbose output and share the play run?

[justjais]

@ginigangadharan were you able to check on this issue?

[iamgini]

@justjais apologies for my delayed response.
I have tried but it was not working. I missed to collect and share the logs.
I will try and update you by next week (as I am travelling now)

Thank you for checking this.