Annoying Cisco ASA bug in IOS 8.4.5 and 8.4.6 – ERROR: NAT Policy is not downloaded

It’s been already few month when we upgraded ASA box to 8.4.6 IOS version.
I needed to add new NAT rules and ended up with error “ERROR: NAT Policy is not downloaded”. After contacting local Cisco support I was told this is a known issue and the workaround is to remove all NAT configuration and paste it back. I rejected this solution and insisted on getting the new version of IOS that would fix this issue. After while I was told there is 8.4.6 interim release which indeed solves the problem. After upgrade to this release the bug seems to be gone.

8.4.6 Interim Release Notes

Here is the official page about this bug

Bug details:

Unable to add static NAT/PAT after upgrade to 8.4.5.
Symptom: following error message seen while adding static NAT/PAT. ERROR: NAT Policy is not downloadedConditions: May not be seen always. On customer setup , he noticed this after upgrading to 8.4.5. Workaround: As of now, Clearing the entire NAT configuration and reapplying Should fix the issue. This could be the possible workaround, but it could not be tested at the customers end. ASA(config#)Clear configure Nat	Status Fixed Severity 3 – moderate Last Modified In Last 7 Days Product Cisco ASA 5500-X Series Next-Generation Firewalls Technology IP Addressing Services 1st Found-In 8.4(5) Fixed-In 100.7(6.117)M 8.4(6.1) 8.4(6.99)
Interpreting This Bug Bug Toolkit provides access to the latest raw bug data so you have the earliest possible knowledge of bugs that may affect your network, avoiding un-necessary downtime or inconvenience. Because you are viewing a live database, sometimes the information provided is not yet complete or adequately documented. To help you interpret this bug data, we suggest the following: This status of this bug is fixed. The problem described in the bug report is “fixed-in” all release versions targeted to be fixed, and all changes have been successfully tested. Check for a software release later than these listed in the “Fixed-in” versions in software download center. The “fixed-in” version may not be available for download yet until all the other bugs targeted to be fixed for that major release are processed. No release date information is available to Bug Toolkit. Please check the software download section frequently to look for a new version. Sometimes the bug details, when available, contain the “fixed-in” version information or link to the upgrade or patch. Always check the software release notes before performing any upgrade to understand new functionality and open bugs not yet fixed. Any “workaround” listed in the bug details section is generally provided as a way to circumvent the bug until the code fix has been completed; often in lieu of downgrading to a non-affected version of code. In certain rare circumstances, we are unable to fix the bug in all versions in which it is found. The bug will still have a ‘fixed’ status. Please open a service request with the Technical Assistance Center if you are being impacted by a bug in this condition. Obscure version references are usually internal builds and may never be posted as a full release. Please watch for a release version later than the interim build displayed. This bug has a Moderate severity 3 designation. Things fail under unusual circumstances, or minor features do not work at all, or things fail but there is a low-impact workaround. This is the highest level for documentation bugs. (Bug Toolkit may not provide access to all documentation bugs.) Severity levels are designated by the engineering teams working on the bug. Severity is not an indication of customer priority which is another value used by engineering teams to determine overall customer impact. Bug documentation often assumes intermediate to advanced troubleshooting and diagnosis knowledge. Novice users are encouraged to seek fully documented support documents and/or utilize other support options available.

Posted in ASA 5000 series, Cisco devices configuration