Junos Automation (Scripting)
Junos Automation (Scripting)

Netconf error from Ansible tower

‎10-31-2019 10:18 AM

I have installed Ansible Tower on RHEL 8 and trying to do a check for a particular piece of configuration on a Juniper vsrx device  but get this error message ...

 

"msg": "Could not open socket to perimeter-firewall:830",
"_ansible_no_log": false

 

I have enabled netconf on the juniper vsrx and connect from the ansible host using this command

ssh root@ < ip address > -p 830 -s netconf which gives me this output ...

<!-- No zombies were killed during the creation of this user interface -->
<!-- user root, class super-user -->
<hello xmlns="urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietfSmiley Tonguearams:netconf:base:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:netconf:capability:candidate:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:netconf:capability:confirmed-commit:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:netconf:capability:validate:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:netconf:capability:url:1.0?scheme=http,ftp,file</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:candidate:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:confirmed-commit:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:validate:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:yang:ietf-netconf-monitoring</capability>
<capability>http://xml.juniper.net/netconf/junos/1.0</capability>
<capability>http://xml.juniper.net/dmi/system/1.0</capability>
</capabilities>
<session-id>8373</session-id>
</hello>
]]>]]>

 

Is there anything that I need to do ?

 

 

 

 

5 REPLIES 5
Junos Automation (Scripting)

Re: Netconf error from Ansible tower

‎10-31-2019 04:52 PM

Hi gefela,

 

What's the config on the vsrx? If you've simply enabled, "netconf ssh" in config, could you try port 22?

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Junos Automation (Scripting)

Re: Netconf error from Ansible tower

‎11-01-2019 02:49 AM

The command listed is correct the default port for netconf over ssh is 830 per the rfc.

You can override this on the SRX if you want.

The only command needed to enable is

set system services netconf ssh

 

And since this is an SRX be sure that netconf is permitted under the security zone config for the interface you are hitting.

 

set security security-zones NameOfZone host host-inbound-traffic system-services netconf

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos Automation (Scripting)

Re: Netconf error from Ansible tower

‎11-01-2019 09:58 AM

I have found that I need to install the junos modules from Ansible galaxy

ansible-galaxy install Juniper.junos
- downloading role 'junos', owned by Juniper
- downloading role from https://github.com/Juniper/ansible-junos-stdlib/archive/2.2.1.tar.gz
- extracting Juniper.junos to /root/.ansible/roles/Juniper.junos
- Juniper.junos (2.2.1) was installed successfully

 

I have already got netconf installed

 

show configuration | display set | match netconf
set system services netconf ssh port 830
set security zones security-zone trust host-inbound-traffic system-services netconf
set security zones security-zone untrust host-inbound-traffic system-services netconf

 

 

My management address is on fxp0

 

What am I missing ?

Junos Automation (Scripting)

Re: Netconf error from Ansible tower

‎11-03-2019 05:14 PM

What zone is fxp0 assigned to?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos Automation (Scripting)

Re: Netconf error from Ansible tower

‎11-04-2019 01:38 AM

fxp0 is not assign to any zone and cannot seem to do it

However I have got interface ge-0/0/0.0 which is in the same ip address range as fxp0

 

When I use ge-0/0/0.0 address configured within ansible tower as the host and tried to run the playbook , it gives me the error message

"msg": "Could not open socket to dmz-firewall:830",
"_ansible_no_log"

I have also done the following 

 

ssh root@ < ge-0/0/0 ip address > -p 830 -s netconf
Password:
<!-- No zombies were killed during the creation of this user interface -->
<!-- user root, class super-user -->
<hello xmlns="urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietfSmiley Tonguearams:netconf:base:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:netconf:capability:candidate:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:netconf:capability:confirmed-commit:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:netconf:capability:validate:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:netconf:capability:url:1.0?scheme=http,ftp,file</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:base:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:candidate:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:confirmed-commit:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:validate:1.0</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file</capability>
<capability>urn:ietfSmiley Tonguearams:xml:ns:yang:ietf-netconf-monitoring</capability>
<capability>http://xml.juniper.net/netconf/junos/1.0</capability>
<capability>http://xml.juniper.net/dmi/system/1.0</capability>
</capabilities>
<session-id>6195</session-id>
</hello>
]]>]]>


show security flow session destination-port 830
Session ID: 1432, Policy name: self-traffic-policy/1, Timeout: 1736, Valid
In: ansible tower ip address /45624 --> ge-0/0/0 ip address /830;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 29, Bytes: 3972,
Out: 1ge-0/0/0 ip address /830 --> ansible tower ip address /45624;tcp, Conn Tag: 0x0, If: .local..4, Pkts: 23, Bytes: 5193,
Total sessions: 1

 

Is there any extra configuration needed for ansible tower ?