Troubleshoot Policy Deployment Failure with Error “Invalid Netmask: Netmask is not contiguous” after Software Upgrade
Available Languages
Contents
Issue
After software upgrade on the Secure Firewall Threat Defense (FTD), the policy deployment fails with this error in the deployment transcript:
FMC >> ip local pool vpnpool1 192.0.2.1-192.0.2.30 mask 255.255.225.224
firewall >> info : Invalid Netmask: Netmask is not contiguous
The deployment is failing due to discontiguous network mask 255.255.225.224, specifically the third octet of the mask is discontiguous.
Environment
FMC-managed Firepower 2110 running FTD. Other hardware platforms and ASA software can also be affected.
First seen after the software upgrade to version 7.4.4. Other target versions can also be affected.
The firewall is configured with remote access Virtual Private Network (VPN) and a locally defined IP pool.
Resolution
The deployment is successful after configuring a contiguous network mask.
Cause
The deployment fails due to attempt to configure discontiguous network masks. This is an expected behavior introduced as part of Cisco bug ID CSCwm37455, where the software includes additional validation that disallows the configuration of local IP pools with discontiguous network masks. This software defect is fixed in software release 7.4.3 and later releases within the 7.4.x series.
Related Content
Cisco bug ID CSCwm37455
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
12-Jun-2026
|
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)