Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

ASA "ERROR: [address_range] overlaps with failover interface address" Received After Upgrade

Document ID: 115738

Updated: Jan 18, 2013

Contributed by Anurag Singh and Magnus Mortensen, Cisco TAC Engineers.

   Print

Introduction

This document describes the solution to an issue that might occur when you upgrade from Cisco Adaptive Security Appliance (ASA) Software version 8.4(4) through 8.4(4.9).

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Cisco Adaptive Security Appliance (ASA) Software version 8.4(4) through 8.4(4.9).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem

When an ASA is upgraded to version 8.4(4) through 8.4(4.9), some NAT commands might be removed from the config, and the following error message is displayed:

ERROR: <address range> overlaps with failover interface address

In addition, you might receive this error when you try to configure a NAT line while running one of these versions of ASA software.

These error messages are shown as a result of a prior bug fix that resulted in a NAT behavior change. In ASA software version 8.4(4) and 8.6(1.6), the NAT configuration restrictions changed such that you cannot configure a NAT line that would overlap with IP addresses used by the failover interfaces on the ASA (that is, if failover is configured). This code change was added in response to Cisco Bug ID CSCtw59136 (registered customers only) .

Note: This problem occurs on ASA software version 8.4(4) and later, as well as code 8.6(1.6) and later. For these messages to appear, you must have failover configured, and you must be attempting to configure a NAT line where the addresses in question would overlap with the addresses configured on the failover interfaces.

Solution

When you configure failover, the failover IP subnets should be completely different from the subnets configured on other interfaces. This method helps reduce the risk of accidentally configuring NAT objects (or other ASA features) that overlap with failover IP subnets.

Cisco Bug ID CSCub59536 (registered customers only) was submitted in order to reverse this config restriction and was resolved in ASA software version 8.4(4.10) and later.

In order to resolve this issue, Cisco recommends that you upgrade to ASA software version 8.4(5) or newer maintenance release.

Related Information

Updated: Jan 18, 2013
Document ID: 115738