Guest

Preview Tool

Cisco Bug: CSCvt03933 - NAT policy configuration range limit to be imposed for IPv6 objects

Last Modified

Apr 15, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

6.4(0.0) GALLIANO

Description (partial)

Symptom:
In certain cases, a NAT policy deployment may timeout and fail when deploying to an FTD device. Subsequent deployments may also fail due to FMC not successfully retrieving the running configuration from the device.

FTDISP01MEG# show running-config 
ERROR: Command Ignored, Configuration in progress...

We were unable to recover from this condition even with a reboot of FTD from FMC.  We were able to recover the unit after a reload on the LINA level.

Conditions:
Attempting to deploy NAT policies that contain objects with a very large range  of IP addresses even without service objects (TCP, UDP ports).

For example we were trying to deploy the following ipv6 range:


object network IPv6-Inside-Pool-Ven
 range 2800:800:fef1:a::1 2800:800:fef1:a::ffff:fffe

Total Hosts:  4294967294
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.