AutomationCCNA 200-301

Ansible ios_command Module Failing to Connect

Presenting Symptom

Ansible playbook using ios_command module fails with 'unable to connect to remote device' error.

Network Context

A small branch office with a Cisco Catalyst 2960 switch running IOS 15.2. The switch is managed via Ansible from a central management server. The network uses SSH for management access. The issue occurs when running an Ansible playbook that executes show commands on the switch.

Diagnostic Steps

Verify SSH connectivity from Ansible control node

ssh -v admin@192.168.1.1

SSH connection established, prompt appears

If SSH fails, check network connectivity, SSH server status, or credentials. If SSH succeeds, the issue is likely with Ansible configuration.

Check Ansible inventory and host variables

ansible-inventory --list

JSON output showing host 192.168.1.1 with correct ansible_connection=network_cli, ansible_network_os=ios, ansible_user=admin

Verify that the host is defined with correct connection type and credentials. Common mistake: using 'ssh' instead of 'network_cli'.

Test Ansible connectivity using ping module

ansible switch -m ping

SUCCESS => pong

If ping fails, check Ansible configuration or Python dependencies. If ping succeeds, the issue is specific to ios_command module.

Check Ansible log for detailed error

ansible-playbook playbook.yml -vvv

Error message like 'unable to connect to socket' or 'paramiko: Authentication failed'

Look for specific error: 'unable to connect to socket' indicates SSH port issue; 'Authentication failed' indicates wrong credentials or SSH key issue.

Root Cause

The Ansible control node is using SSH key-based authentication, but the Cisco switch is configured with 'ip ssh server algorithm authentication publickey' disabled or the public key is not properly configured. Alternatively, the Ansible host_vars may have 'ansible_connection: ssh' instead of 'ansible_connection: network_cli'.

Resolution

1. Ensure Ansible uses network_cli connection: set ansible_connection=network_cli in host_vars. 2. On the switch, enable SSH public key authentication: 'ip ssh server algorithm authentication publickey'. 3. Copy the Ansible control node's public key to the switch: 'ip ssh pubkey-chain' and add the key. 4. Alternatively, use password authentication by setting ansible_ssh_pass in host_vars.

Verification

Run the Ansible playbook again: ansible-playbook playbook.yml. Expected output: 'ok: [switch]' with show command output. Also verify SSH key authentication: ssh -i key admin@192.168.1.1 should succeed without password.

Prevention

1. Always use 'network_cli' connection for Cisco IOS devices in Ansible. 2. Configure SSH key-based authentication on switches for passwordless login. 3. Test connectivity with a simple module before running complex playbooks.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario may appear as a troubleshooting question about automation tools. The exam tests understanding of Ansible connection types (network_cli vs ssh) and SSH configuration on Cisco devices. Key fact: Cisco IOS devices require 'network_cli' connection for Ansible to interact with the CLI.

Exam Tips

Remember that Ansible uses 'network_cli' for Cisco IOS, not 'ssh'.

Know that SSH key authentication must be enabled on the switch with 'ip ssh server algorithm authentication publickey'.

Be familiar with the 'ansible-inventory --list' command to verify host variables.

Commands Used in This Scenario

show ip ssh

Displays the status and configuration of SSH server on the Cisco IOS device, used to verify SSH is enabled and check connection details.

show ssh

Displays the status and configuration of SSH server connections on a Cisco device, used to verify SSH sessions, authentication methods, and encryption settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions