Document ID: 115738
Updated: Jan 18, 2013
Contributed by Anurag Singh and Magnus Mortensen, Cisco TAC Engineers.
This document describes the solution to an issue that might occur when you upgrade from Cisco Adaptive Security Appliance (ASA) Software version 8.4(4) through 8.4(4.9).
There are no specific requirements for this document.
The information in this document is based on Cisco Adaptive Security Appliance (ASA) Software version 8.4(4) through 8.4(4.9).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
When an ASA is upgraded to version 8.4(4) through 8.4(4.9), some NAT commands might be removed from the config, and the following error message is displayed:
ERROR: <address range> overlaps with failover interface address
In addition, you might receive this error when you try to configure a NAT line while running one of these versions of ASA software.
These error messages are shown as a result of a prior bug fix that resulted in a NAT behavior change. In ASA software version 8.4(4) and 8.6(1.6), the NAT configuration restrictions changed such that you cannot configure a NAT line that would overlap with IP addresses used by the failover interfaces on the ASA (that is, if failover is configured). This code change was added in response to Cisco Bug ID CSCtw59136 (registered customers only) .
Note: This problem occurs on ASA software version 8.4(4) and later, as well as code 8.6(1.6) and later. For these messages to appear, you must have failover configured, and you must be attempting to configure a NAT line where the addresses in question would overlap with the addresses configured on the failover interfaces.
When you configure failover, the failover IP subnets should be completely different from the subnets configured on other interfaces. This method helps reduce the risk of accidentally configuring NAT objects (or other ASA features) that overlap with failover IP subnets.
In order to resolve this issue, Cisco recommends that you upgrade to ASA software version 8.4(5) or newer maintenance release.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.