Ansible Windows Deployment - 'Connection aborted.', error(104, 'Connection reset by peer')

Kartik_Jayaraman · September 13, 2018, 8:31pm

Hello,

I am facing an issue with deployment on Windows 2008 server using Ansible. I have a jenkins pipeline which has an Ansible Deployment stage wherein I drop the files on to the target servers from inventory. I have been able to do this successfully for quite a few servers. However for some servers, I see the above error message.

Here is the output from jenkins pipeline


TASK [debug] *******************************************************************
ok: [ch3dw026394.mydomain.com] => {
    "msg": "Hello world!"
}

TASK [Testing connection to windows] *******************************************
fatal: [ch3dw026394.mydomain.com]: UNREACHABLE! => {"changed": false, "msg": "ntlm: ('Connection aborted.', error(104, 'Connection reset by peer'))", "unreachable": true}

Here is the Ansible playbook module for win_ping

  #Testing connection with Target
  - debug: 
    msg: "Testing connection to windows {{ inventory_hostname }}"

  - name: Testing connection to windows
    win_ping: null
    any_errors_fatal: true

I did quite a bit of research on this and none of the following options worked

Turned off UAC on the Windows 2008 server.
Did not work Some posts online said that this error happens because the inventory file does not contain FQDN, but contains IP. My inventory file contains FQDN (Fully Qualified domain name) and still does not work Another post said that the port number(5986) in the vars.yml should be commented out and instead have hostname:5986 in the inventory file. Still did not work
I tried deleting the listeners on the server and ran the powershell script to enable WinRM (https://github.com/ansible/ansible/blob/devel/examples/scripts/ConfigureRemotingForAnsible.ps1). This also did not work. Deleted the listeners using
```
winrm delete winrm/config/Listener?Address=*+Transport=HTTP
winrm delete winrm/config/Listener?Address=*+Transport=HTTS
```
Set WinRM to have basic Auth = true and also AllowUncrypted = true (see below) and still did not work. (Please note I did not have to do any of this in my other Windows 2008 servers and it worked absolutely fine).
```
winrm set winrm/config/service '@{AllowUnencrypted= "true"}'
Set-Item -Path "WSMan:\localhost\Service\Auth\Basic" -Value $true
```

Please can you help me get past this error.

Thanks in advance for your assistance! Warm Regards

p.s. I am using a local account on the server not a domain account and secondly, I am using the following for transport and authentication

ansible_port: 5986
ansible_connection: winrm
ansible_winrm_transport: ntlm

jborean · September 13, 2018, 8:58pm

Hi

The error you are seeing is that because the underlying HTTP stack on Windows is beaking the connection and may or may not be related to WInRM itself. If you are trying to connect to server 2008 then you will need PowerShell v3.0 which has an issue with the memory settings. Make sure that you have installed this hotfix https://docs.ansible.com/ansible/latest/user_guide/windows_setup.html#winrm-memory-hotfix.

The other issue I know that could cause this is the recent TLSv1.2 patch Microsoft has released which effectively breaks compatibility. I came across a bug with it and found even Microsoft products are unable to use TLS v1.2 with it enabled, you can find out more details about this here https://social.msdn.microsoft.com/Forums/en-US/f4b0e1d5-4a7f-4e6a-a196-a54c50849ff8/server-2008-and-tlsv12-server-issues-kb4019276?forum=winservergen. If you have KB4019276 and have explicitly enabled the TLSv1.2 ciphers in the registry then this would have to be undone before Ansible will work with it.

Thanks

Jordan

Kartik_Jayaraman · September 14, 2018, 9:56pm

Hello Jordan

Thanks for your response.

The target server already has Powershell3.0, I went ahead and installed the hotfix and reinstalled the http and https listeners, but still isn’t working.

The thing with TLS1.2 is that I have 2 win 2008 servers and they both have exact same registry settings wrt the TLS ciphers and it works fine on one and does not work on the other.
All Win RM commands yield same results in one of the servers and break on the other.

Do you have any other ideas?

Thanks
Kartik

jborean · September 17, 2018, 9:46pm

You need both the hotfix and the registry keys set for the connection to break like this, having one or the other is not enough. Another thing to note is that this only applies to Server 2008, the 2008 R2 edition works just fine with TLSv1.2. So if this is the original 2008 version (and not 2008 R2) verify that TLS1.2 isn’t enabled in the registry for the server side.

Thanks

Jordan

Tony_Wong · August 17, 2020, 12:40am

I have same problem. I enabled winrm over https and i can see it listen to 5986. but a simple win_ping is not working

Tony_Wong · August 17, 2020, 1:41pm

i dont understand what this mean

You need both the hotfix and the registry keys set for the connection to break like this, having one or the other is not enough. A

Topic		Replies	Views
unable to setup windows host for ansible Ansible Project windows	14	5	November 1, 2018
Issue on Ansible Playbook Run When Calling WinRM - ConnectionError ('Connection aborted.', OSError("(104, 'ECONNRESET')",)) Ansible Project	2	3	December 9, 2021
Config for Windows host Ansible Project windows	2	2	August 2, 2017
not able to connect to windows host Ansible Project windows	3	1	April 24, 2017
[WARNING]: The "winrm" connection plugin has an improperly configured remote target value, forcing "inventory_hostname" templated value instead of the string Ansible Project windows	3	2	June 9, 2022

Ansible Windows Deployment - 'Connection aborted.', error(104, 'Connection reset by peer')

Related topics