Hi Team,
I need help to resolve the errors below to communicate with WinRM via Ansible. What will the cause for this error?
server 1-
For the connection timed out either means the server is not listening on that port (5986) or a firewall is in the way.
The bad handshake might mean the server doesn’t support a TLS protocol or cipher suite the client supports. On older Windows hosts (pre 2016) there is a limited set of cipher suites that they support and some more modern Linux clients disable these ciphers for security purposes. This is unfortunately a harder problem to solve but using openssl s_client -connect host:5986 is a good way to test SSL problems outside of Ansible.
Thanks
Jordan
Hi Jordan,
Thanks for your response…
We have checked with Network team they are saying that they can see traffic while scanning from Sources server (ansible) to Destination (WinRM )servers over 5986 port.
Here is the default winrm/config result on win server.
C:\Windows\system32>winrm get winrm/config
Config
MaxEnvelopeSizekb = 500
MaxTimeoutms = 1800000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = true
Auth
Basic = true
Digest = true
Kerberos = true
Negotiate = true
Certificate = true
CredSSP = false
DefaultPorts
HTTP = 5985
HTTPS = 5986
TrustedHosts
Service
RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)
MaxConcurrentOperations = 4294967295
MaxConcurrentOperationsPerUser = 1500
EnumerationTimeoutms = 240000
MaxConnections = 300
MaxPacketRetrievalTimeSeconds = 120
AllowUnencrypted = true
Auth
Basic = true
Kerberos = true
Negotiate = true
Certificate = false
CredSSP = true
CbtHardeningLevel = Relaxed
DefaultPorts
HTTP = 5985
HTTPS = 5986
IPv4Filter = *
IPv6Filter = *
EnableCompatibilityHttpListener = false
EnableCompatibilityHttpsListener = false
CertificateThumbprint
AllowRemoteAccess = true
Winrs
AllowRemoteShellAccess = true
IdleTimeout = 7200000
MaxConcurrentUsers = 2147483647
MaxShellRunTime = 2147483647
MaxProcessesPerShell = 2147483647
MaxMemoryPerShellMB = 1024
MaxShellsPerUser = 2147483647
Pls let us know if any other info.
Hi Jordan,
Thanks for your response..We have checked with Network team they are saying that they can see traffic while scanning from Sources server (ansible) to Destination (WinRM )servers over 5986 port.
I don't know your Network team, and I have no way of telling whether
what they claim is true or not, or even know if their statements are
relevant at all. Please read on.
Pls let us know if any other info.
The previous reply asked you to use an openssl command to obtain
relevant debugging information about the connection from the ansible
host to the target system.
You did not provide the results of that - so please do that.
So to verify the host is actually listening run ‘winrm e winrm/config/listener’ you should see if there is an actual listener for HTTPS/5986. You can also use your favourite command to check if the port is reachable, e.g. ‘nc -zvw10 192.168.1.2 5986’. Once you’ve verified that you can actually connect to the host on that port and that the remote host is listening to it and there’s no firewall in the way that blocks it you can move onto getting SSL/TLS working. This is done through ‘openssl s_client -connect 192.168.1.2:5986’.
Thanks
Jordan
Thanks for Response,
We are unable to do Telnet 5986 from Ansible for below server 1 , might be port is block in security Group.as Ansible servers are in AWS Cloud.
server 1-
kerberos: HTTPSConnectionPool(host=‘10.x.x.x’; port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f3d45abe5d0>; ‘Connection to 10.x.x.x. timed out. (connect timeout=30)’))
For server 2- Could you more elaborate on this ? wht need to be done to solve this ?
kerberos: HTTPSConnectionPool(host=‘192.x.x.x’; port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError(“bad handshake: SysCallError(104; ‘ECONNRESET’)”;);))
Thanks for Response,
We are unable to do Telnet 5986 from Ansible for below server 1 , might be port is block in security Group.as Ansible servers are in AWS Cloud.
server 1-
kerberos: HTTPSConnectionPool(host='10.x.x.x'; port=5986): Max retries exceeded with url: /wsman (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f3d45abe5d0>; 'Connection to 10.x.x.x. timed out. (connect timeout=30)'))
There is your reason that things don't work. Get this working first.
But as you can see below, there might be more bumps on the road.
For server 2- Could you more elaborate on this ? wht need to be done to solve this ?
kerberos: HTTPSConnectionPool(host='192.x.x.x'; port=5986): Max retries exceeded with url: /wsman (Caused by SSLError(SSLError("bad handshake: SysCallError(104; 'ECONNRESET')";);))
As stated by Jordan this can be diagnosed by running an openssl command.
So server1 has a networking problem, and possible an SSL problem
Server1 has no networking problem, but it has an SSL problem.
Maybe it isn't clear, but you first need network connectivity, and
once that works you need a correct SSL setup.
Network problems will mask SSL problems, effectively.
None of this is specific to ansible though.
Hello Jordon & dnmv,
Thank again for your help
Whatever you suggested its work, Opened the WInRM port on firewall for servers & Disabled SSL version in Registry, now Ansible successfully communicating to WinRM.
However we still have few servers where getting below errors. (Telenet is working)
Server3- Timeout error. ERROR DURING WINRM SEND INPUT - attempting to recover: WinRMTransportError Bad HTTP response returned from server. Code 413
Server4 - Times out after one hour. Error: WinRMTransportError Bad HTTP response returned from server. Code 413.
Server5- Timed out: 192.0.x.x
Pls help …Thanks in Advance.
Regards
AdminLp
HTTP 413 means Content Too Large:
https://www.rfc-editor.org/rfc/rfc9110.html#name-413-content-too-large
But I don't know enough about the MS ecosystem to fix that
Is there any workaround solutions for
HTTP 413 means Content Too Large: ?
Hello ,
Most of Timedout error servers are windows 2008 , they having 2.0 Power shell version
Is this cause of Ansible fails to communicate this servers ?
Minimum powershell requirement is version 3 for windows. Powershell version 2 is not compatible
Thanks for confirmation.
Will upgrade power shell version to 3.0 on all windows 2008 servers.
Failed with error: Unhandled Exception: OutOfMemoryException