Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cisco.ise.egress_matrix_cell module returns 400 error if cell already exists #108

Open
3 tasks done
grg1bbs opened this issue Nov 14, 2023 · 3 comments
Open
3 tasks done

cisco.ise.egress_matrix_cell module returns 400 error if cell already exists #108

grg1bbs opened this issue Nov 14, 2023 · 3 comments
Labels
API bug Something isn't working

Comments

@grg1bbs
Copy link

grg1bbs commented Nov 14, 2023
edited
Loading

Prerequisites

  • Have you tested the operation in the API directly?
  • Do you have the latest ISE Collection version?
  • Review the compatibility matrix before opening an issue.

Describe the bug
When running a play with module 'cisco.ise.egress_matrix_cell' to create a CTS egress matrix cell for the first time, the play completes and the configuration change is successful.
When running the same play a subsequent time, the playbook fails with a 400 error such as:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: }
fatal: [ise32-3.ise.trappedunderise.com]: FAILED! => {"changed": false, "msg": "An error occured when executing operation. The error was: [400] - Operation Egress Policy Matrix Create failed: Error : Cell Already Exsits !\n MATRIX_CELL failed. Look at the debug logs for more information\n{\n "ERSResponse" : {\n "operation" : "POST-create-egressmatrixcell",\n "messages" : [ {\n "title" : "Operation Egress Policy Matrix Create failed: Error : Cell Already Exsits !\n MATRIX_CELL failed. Look at the debug logs for more information",\n "type" : "ERROR",\n "code" : "CRUD operation exception"\n } ],\n "link" : {\n "rel" : "related",\n "href" : "https://ise32-3.ise.trappedunderise.com/ers/config/egressmatrixcell\",\n "type" : "application/xml"\n }\n }\n}"}

Expected behavior
The expected behaviour would be that the module recognises that the configuration already exists and skip the attempt to create the object again.

Environment (please complete the following information):

  • ISE version and patch: 3.2 patch 4
  • Ansible version: 2.15.5
  • ISE collection version: 2.6.1
  • ciscoisesdk version: 2.1.2
  • Cisco ISE version: 3.2_beta
  • OS version: MacOS 13.6.1

Ansible Playbook Code Example

  tasks:

#
# Get Security Group and SGACL IDs
#

  - name: Get default SGT ID - Employees
    cisco.ise.sgt_info:
      <<: *ise_login
      filter:
        - name.EQ.Employees
      filterType: AND
    register: sgt_employees

  - name: Get default SGT ID - Developers
    cisco.ise.sgt_info:
      <<: *ise_login
      filter:
        - name.EQ.Developers
      filterType: AND
    register: sgt_developers

#
# Create New SGTs & SGACLs
#

  - name: Create SGT - Shared_Services
    cisco.ise.sgt:
      <<: *ise_login
      state: present
      name: "Shared_Services"
      value: -1
    register: sgt_shared_services

  - name: Create SGACL - DENY_IP_ANY
    cisco.ise.sg_acl:
      <<: *ise_login
      state: present
      name: "DENY_IP_ANY"
      aclcontent: "deny ip any any"
      description: "Deny IP Any"
      ipVersion: "IPV4"
    register: sgacl_deny_ip_any

  - name: Create SGACL - PERMIT_IP_ANY
    cisco.ise.sg_acl:
      <<: *ise_login
      state: present
      name: "PERMIT_IP_ANY"
      aclcontent: "permit ip any any"
      description: "Permit IP Any"
      ipVersion: "IPV4"
    register: sgacl_permit_ip_any

#
# Create Egress Matrix
#

  - name: Create Egress Cell - Employees to Developers
    cisco.ise.egress_matrix_cell:
      <<: *ise_login
      state: present
      description: "Deny Emp to Dev"
      sourceSgtId: "{{ sgt_employees.ise_response[0].id }}"
      destinationSgtId: "{{ sgt_developers.ise_response[0].id }}"
      matrixCellStatus: "ENABLED"
      name: "EMP-DEV"
      sgacls:
      - "{{ sgacl_deny_ip_any.ise_response.id }}"

  - name: Create Egress Cell - Employees to Shared_Services
    cisco.ise.egress_matrix_cell:
      <<: *ise_login
      state: present
      description: "Permit Emp to Shared Svc"
      sourceSgtId: "{{ sgt_employees.ise_response[0].id }}"
      destinationSgtId: "{{ sgt_shared_services.ise_response.id }}"
      matrixCellStatus: "ENABLED"
      name: "EMP-SHARED"
      sgacls:
      - "{{ sgacl_permit_ip_any.ise_response.id }}"

The previous plays execute without error when running multiple times, so the following modules exhibit the expected behaviour.

  • cisco.ise.sgt
  • cisco.ise.sg_acl
@fmunozmiranda
Copy link
Collaborator

Please provide us collection Debug

@grg1bbs
Copy link
Author

grg1bbs commented Oct 22, 2024

Debug output for the failed task...

TASK [Create Egress Cell - Employees to Developers] *****************************************************************************************************
Attempt 1

Request
        URL: https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell
        Method: GET
        Headers: 
                User-Agent: python-cisco-ise/3.3_patch_1
                Accept-Encoding: gzip, deflate
                Accept: application/json
                Connection: keep-alive
                authorization: Basic ZXJzYWRtaW4xOmNpc2NvMTIz
                Content-type: application/json;charset=utf-8
        Params:
              {}

Response
        Status: 200 - 
        Headers: 
                Content-Type: application/json;charset=utf-8
                Transfer-Encoding: chunked
                Connection: keep-alive
                Cache-Control: no-cache, no-store, must-revalidate
                Set-Cookie: JSESSIONIDSSO=7842ED2407908DE1C046AB59D089498E; Path=/; Secure; HttpOnly, APPSESSIONID=588142BF6CC329F73F192FD81E9874AB; Path=/ers; Secure; HttpOnly
                Pragma: no-cache
                Expires: Thu, 01 Jan 1970 00:00:00 GMT
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=31536000; includeSubDomains
                X-Content-Type-Options: nosniff
                X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                X-XSS-Protection: 1; mode=block
                Date: Tue, 22 Oct 2024 06:06:53 GMT
                Server: 
        Body:
             {
                 "SearchResult": {
                     "total": 3,
                     "resources": [
                         {
                             "id": "92c1a900-8c01-11e6-996c-525400b48521",
                             "name": "ANY-ANY",
                             "description": "Default egress rule",
                             "link": {
                                 "rel": "self",
                                 "href": "https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell/92c1a900-8c01-11e6-996c-525400b48521",
                                 "type": "application/json"
                             }
                         },
                         {
                             "id": "2d21afa1-903a-11ef-824c-005056918895",
                             "name": "Employees-Developers",
                             "description": "Deny Emp to Dev",
                             "link": {
                                 "rel": "self",
                                 "href": "https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell/2d21afa1-903a-11ef-824c-005056918895",
                                 "type": "application/json"
                             }
                         },
                         {
                             "id": "2de74990-903a-11ef-824c-005056918895",
                             "name": "Employees-Shared_Services",
                             "description": "Permit Emp to Shared Svc",
                             "link": {
                                 "rel": "self",
                                 "href": "https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell/2de74990-903a-11ef-824c-005056918895",
                                 "type": "application/json"
                             }
                         }
                     ]
                 }
             }
Attempt 1

Request
        URL: https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell
        Method: GET
        Headers: 
                User-Agent: python-cisco-ise/3.3_patch_1
                Accept-Encoding: gzip, deflate
                Accept: application/json
                Connection: keep-alive
                authorization: Basic ZXJzYWRtaW4xOmNpc2NvMTIz
                Content-type: application/json;charset=utf-8
        Params:
              {
                  "page": 2
              }

Response
        Status: 400 - 
        Headers: 
                Content-Type: application/json;charset=utf-8
                Transfer-Encoding: chunked
                Connection: keep-alive
                Cache-Control: no-cache, no-store, must-revalidate
                Pragma: no-cache
                Expires: Thu, 01 Jan 1970 00:00:00 GMT
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=31536000; includeSubDomains
                X-Content-Type-Options: nosniff
                X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                X-XSS-Protection: 1; mode=block
                Date: Tue, 22 Oct 2024 06:06:53 GMT
                Server: 
        Body:
             {
                 "ERSResponse": {
                     "operation": "GET-getAll-egressmatrixcell",
                     "messages": [
                         {
                             "title": "The page 2 does not exist. Please refine your query.",
                             "type": "ERROR",
                             "code": "Page not exists exception"
                         }
                     ],
                     "link": {
                         "rel": "related",
                         "href": "https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell?page=2",
                         "type": "application/xml"
                     }
                 }
             }
Attempt 1

Request
        URL: https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell
        Method: POST
        Headers: 
                User-Agent: python-cisco-ise/3.3_patch_1
                Accept-Encoding: gzip, deflate
                Accept: application/json
                Connection: keep-alive
                authorization: Basic ZXJzYWRtaW4xOmNpc2NvMTIz
                Content-type: application/json;charset=utf-8
        Params:
              {}
        Body:
            {
                "EgressMatrixCell": {
                    "name": "EMP-DEV",
                    "description": "Deny Emp to Dev",
                    "sourceSgtId": "93ad6890-8c01-11e6-996c-525400b48521",
                    "destinationSgtId": "93837260-8c01-11e6-996c-525400b48521",
                    "matrixCellStatus": "ENABLED",
                    "sgacls": [
                        "2b8b5830-903a-11ef-824c-005056918895"
                    ]
                }
            }

Response
        Status: 400 - 
        Headers: 
                Content-Type: application/json;charset=utf-8
                Transfer-Encoding: chunked
                Connection: keep-alive
                Cache-Control: no-cache, no-store, must-revalidate
                Pragma: no-cache
                Expires: Thu, 01 Jan 1970 00:00:00 GMT
                X-Frame-Options: SAMEORIGIN
                Strict-Transport-Security: max-age=31536000; includeSubDomains
                X-Content-Type-Options: nosniff
                X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
                X-XSS-Protection: 1; mode=block
                Date: Tue, 22 Oct 2024 06:06:53 GMT
                Server: 
        Body:
             {
                 "ERSResponse": {
                     "operation": "POST-create-egressmatrixcell",
                     "messages": [
                         {
                             "title": "Operation Egress Policy Matrix Create failed: Error : Cell Already Exists !\n MATRIX_CELL failed. Look at the debug logs for more information",
                             "type": "ERROR",
                             "code": "CRUD operation exception"
                         }
                     ],
                     "link": {
                         "rel": "related",
                         "href": "https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell",
                         "type": "application/xml"
                     }
                 }
             }
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: }
fatal: [ise33-3.ise.trappedunderise.com]: FAILED! => {"changed": false, "msg": "An error occured when executing operation. The error was: [400] - Operation Egress Policy Matrix Create failed: Error : Cell Already Exists !\n MATRIX_CELL failed. Look at the debug logs for more information\n{\n  \"ERSResponse\" : {\n    \"operation\" : \"POST-create-egressmatrixcell\",\n    \"messages\" : [ {\n      \"title\" : \"Operation Egress Policy Matrix Create failed: Error : Cell Already Exists !\\n MATRIX_CELL failed. Look at the debug logs for more information\",\n      \"type\" : \"ERROR\",\n      \"code\" : \"CRUD operation exception\"\n    } ],\n    \"link\" : {\n      \"rel\" : \"related\",\n      \"href\" : \"https://ise33-3.ise.trappedunderise.com/ers/config/egressmatrixcell\",\n      \"type\" : \"application/xml\"\n    }\n  }\n}"}

PLAY RECAP **********************************************************************************************************************************************
ise33-3.ise.trappedunderise.com : ok=5    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

@bvargasre
Copy link
Collaborator

Hi @grg1bbs, reviewing the issue note the following:
egress_matrix_cell the get_all of the ISE lab is very simple, it only brings the id, name and description

And since the name of your playbook is different from those brought by the get_all, the POST is executed, but at the internal level those parameters are already set causing the error: Cell Already Exists

This is more of a fault of the lab that it does not bring more information, but if the get_by_id is done it does bring the complete information, but executing a get_by_id for each result of the get_all is not viable in terms of time and performance

Also the problem that the name is different is an error/problem at the CiscoISE LAB level, because in the POST the name is ignored and another defect is put in by changing it

@bvargasre bvargasre added bug Something isn't working API labels Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bvargasre @fmunozmiranda @grg1bbs