Can't connect to Cisco router using network_cli but ssh from raw module works fine

% ansible --version
ansible [core 2.16.4]
  config file = /Users/john/scripts/ansible-testing/ansible.cfg
  configured module search path = ['/Users/john/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/john/scripts/ansible-testing/ansible-testing/lib/python3.12/site-packages/ansible
  ansible collection location = /Users/john/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/john/scripts/ansible-testing/ansible-testing/bin/ansible
  python version = 3.12.2 (main, Feb  6 2024, 20:19:44) [Clang 15.0.0 (clang-1500.1.0.2.5)] (/Users/john/scripts/ansible-testing/ansible-testing/bin/python3)
  jinja version = 3.1.3
  libyaml = True

% ssh -V
OpenSSH_9.4p1, LibreSSL 3.3.6

I’m pulling my hair out over this issue. I’ve spent some time doing the usual Googling and searching on reddit, but can’t quite find the right mix of magic dust to sprinkle on my laptop to get this to work.

I’m new to Ansible and currently testing it on my Macbook Pro (Sonoma 14.3.1). I had previously installed Ansible using brew but I was running into some issues. I uninstalled it, created a venv with one of the two versions of Python on my system, then installed ansible as well as ansible-pylibssh.

With ansible_connection=ssh, I can run adhoc commands against my Cisco IOS XR routers with no problem. When I try to run a command using the cisco.iosxr.iosxr module, I get an error that ssh it not a valid connection type, so I switched it to network_cli. Once I do that, I run into constant SSH errors/mismatches with the crypto algos. I suspect the problem is that the Cisco routers use older algos than what Ansible is offering. But I can ssh to my devices from my command line with no problem because I added the right algos to my ssh config file.

Is there a way to force Ansible to use the ssh version configured on my machine rather than…whatever the heck it’s doing. I suspect it’s using paramiko or something and bypassing my host’s ssh config.

At the current moment, I have the following in my ansible.cfg:

ansible_network_os=cisco.iosxr.iosxr
ansible_connection=ansible.netcommon.network_cli

I think this is the relevant portion of the error when I run an adhoc command with a lot of verbosity:

"msg": "ssh connection failed: ssh connect failed: kex error : no match for method kex algos: server [ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1], client [diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1]"

In case it’s relevant, here is the adhoc command:

ansible my_routers -m cisco.iosxr.iosxr_command -a "commands=['show run formal router isis']"

As I mentioned, if I switch the ansible_connection to SSH and then use -m raw instead, it works just fine.

How can I get Ansible to use the right algos?

Thanks!

@jneiberger Hi.

Which do you use paramiko or pylibssh?

You can confirm it by ansible-playbook command with -vvvv.

$ ansible-playbook -i inventory.ini playbook.yml -vvvv 
...(omitted)...
<hostname> ssh type is now set to paramiko
...(omitted)...

or

<hostname> ssh type is now set to libssh

If both has installed, you can choose one by ansible_network_cli_ssh_type.

Looks like the ssh type starts out as auto and then gets set to libssh. As I recall, in order to use the cisco.iosxr.iosxr, I was forced to switch to network_cli, but in order to get that work, I had to install ansible-pylibssh as well as libssh itself using Homebrew.

I added set it to use paramiko in my ansible.cfg file. I didn’t get a crypto error this time. Now I’m getting this:

"msg": "No existing session"

I did a search for “ansible cisco no existing session” and see that it has been a common problem for years and I don’t see a solution yet, although there must be one somewhere.

Thanks,
John

EDIT: It looks like this might be a paramiko problem, not an Ansible problem. I see some people running into this when using paramiko in Python to connect to network devices. For example:

https://stackoverflow.com/questions/6832248/paramiko-no-existing-session-exception

I’m not sure what the solution is, though. Maybe I just need to switch back to libssh and then figure out the crypto algo problem. If I can set which crypto algos to use in Ansible, I think that would solve it.

In my experience, the error "msg": "No existing session" is difficult to identify the cause…

I am not too sure, but if you are using paramiko and authenticating by user and password, try the following ansible.cfg.

[paramiko_connection]
look_for_keys = False

It looks like that worked! I really appreciate the help! I’m still getting used to the layout of the Ansible docs and I didn’t find the options for [persisistent_connection] and [paramiko_connection] in them anywhere yet. But I tried it and it works, so for that I’m grateful.

Good! My My pleasure.

That’s configuration item listed in Ansible Configuration Settings.
https://docs.ansible.com/ansible/latest/reference_appendices/config.html#paramiko-look-for-keys

According to my research, by default it seams paramiko searches a default keys (such as ~/.ssh/id_rsa) even though the ansible_password is defined.
The paramiko uses ansible_password by setting look_for_keys = False

It is unclear why the error message "msg": "No existing session" appears…

Could you mark as solution my comment for explicitly state that this topic has been resolved?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.