Document ID: 115738
Updated: Jan 18, 2013
Contributed by Anurag Singh and Magnus Mortensen, Cisco TAC Engineers.
Contents
Introduction
This document describes the solution to an issue that might occur when you upgrade from Cisco Adaptive Security Appliance (ASA) Software version 8.4(4) through 8.4(4.9).
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Cisco Adaptive Security Appliance (ASA) Software version 8.4(4) through 8.4(4.9).
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Problem
When an ASA is upgraded to version 8.4(4) through 8.4(4.9), some NAT commands might be removed from the config, and the following error message is displayed:
ERROR: <address range> overlaps with failover interface address
In addition, you might receive this error when you try to configure a NAT line while running one of these versions of ASA software.
These error messages are shown as a result of a prior bug fix that resulted in a NAT behavior change. In ASA software version 8.4(4) and 8.6(1.6), the NAT configuration restrictions changed such that you cannot configure a NAT line that would overlap with IP addresses used by the failover interfaces on the ASA (that is, if failover is configured). This code change was added in response to Cisco Bug ID CSCtw59136 (registered customers only) .
Note: This problem occurs on ASA software version 8.4(4) and later, as well as code 8.6(1.6) and later. For these messages to appear, you must have failover configured, and you must be attempting to configure a NAT line where the addresses in question would overlap with the addresses configured on the failover interfaces.
Solution
When you configure failover, the failover IP subnets should be completely different from the subnets configured on other interfaces. This method helps reduce the risk of accidentally configuring NAT objects (or other ASA features) that overlap with failover IP subnets.
Cisco Bug ID CSCub59536 (registered customers only) was submitted in order to reverse this config restriction and was resolved in ASA software version 8.4(4.10) and later.
In order to resolve this issue, Cisco recommends that you upgrade to ASA software version 8.4(5) or newer maintenance release.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.