[Solved] Mikrotik Config Push error

Unimus support forum
Post Reply
SnowCrash
Posts: 3
Joined: Fri Dec 10, 2021 6:06 pm
Location: Northern Minnesota

Fri Dec 10, 2021 7:36 pm

Im trying to to write a new push script for our Mikrotik routers to standardize our allowed "access address" lists. In the past I was able to just type out the CLI commands in the Commands window and that would work, it would even bypass addresses that were already in the list. Not sure if it was the update to Unimus but now the push config stops if it encounters an existing address.

Example.
If I run this push script on a router with no entries in the address list it works fine.

Commands

Code: Select all

/ip firewall address-list
add address=172.16.0.0/12 comment=Local_Access list="Allowed Access"
add address=10.176.0.0/13 comment=OSPF list="Allowed Access"
Output

Code: Select all

<prompt> /ip firewall address-list
<prompt> add address=172.16.0.0/12 comment=Local_Access list="Allowed Access"
<prompt> add address=10.176.0.0/13 comment=OSPF list="Allowed Access"
<prompt> 
But if the address list already contains the 172.16.0.0/12 entry Unimus stops running the commands and errors out

Code: Select all

<prompt> /ip firewall address-list
<prompt> add address=172.16.0.0/12 comment=Local_Access list="Allowed Access"

failure: already have such entry

<prompt> 
Is this behavior by design? If so is there a way to disable this.

In the end I would just like to push my whole new ACL list to all my routers and fill in any missing address list entries if possible.
User avatar
Tomas
Posts: 1206
Joined: Sat Jun 25, 2016 12:33 pm

Mon Dec 20, 2021 3:07 pm

Sorry for the later reply - last week was super busy here with the log4j mess and our 2.2.0-Beta1 release.
SnowCrash wrote:
Fri Dec 10, 2021 7:36 pm
Example.
If I run this push script on a router with no entries in the address list it works fine.
...
But if the address list already contains the 172.16.0.0/12 entry Unimus stops running the commands and errors out
...
Is this behavior by design? If so is there a way to disable this.
This is indeed by design - if Unimus sees the device report an error during Config Push, it will stop the push and assign the device into a failure group. This is for safety reasons - if you have a large push which relies on the sequence of commands, it's much safer to stop than to continue sending command to the device which might have bad consequences. In short - if there is an error, it's much safer to stop than to continue sending commands.

We do plan to introduce a checkbox that controls this behavior into "Advanced Push Settings" in the future, but for now Push will stop on error.
SnowCrash wrote:
Fri Dec 10, 2021 7:36 pm
In the end I would just like to push my whole new ACL list to all my routers and fill in any missing address list entries if possible.
Pushes like this (that should manipulate existing configuration items and should be able to run multiple times) need to be written in a way that they take this into account.

In this case, I added a modified version in the Automation thread where you asked about this that will work: viewtopic.php?p=3316#p3316
Post Reply