topic Re: Replace a Failed Firepower Appliance in Network Security

Replace a Failed Firepower Appliance

rkAtCisco — Mon, 27 Jun 2022 09:54:34 GMT

Hello Everyone,

I need some guidance on how to replace a failed Firepower Appliance. There is ton's of information on cisco.com for this but none of them provides a step by step procedure as we generally would find in the case of routers/switches etc.

So here it goes, we have two Firepower 4100s on our network which run an ASA as a logical appliance, the two ASAs form an HA pair. One of the Firepowers has failed and Cisco TAC have confirmed that the device need to be replaced.

As I am very new to these devices, it will great if the experts here can guide me to some documentation which can help with swapping the device without resulting an an outage.

Thanks and regards

Re: Replace a Failed Firepower Appliance

johnlloyd_13 — Mon, 27 Jun 2022 10:12:56 GMT

hi rk,

since you've got a case opened with TAC, why don't you ask for their guidance/document/best practice directly from them?

this is what you've paid for.

Re: Replace a Failed Firepower Appliance

rkAtCisco — Mon, 27 Jun 2022 10:18:17 GMT

Hello johnlloyd_13,

I did, the issue is I have not received a response from Cisco TAC yet which I am happy with.

Historically, I have been able to get better solutions here rather than from Cisco TAC.

Regards

Re: Replace a Failed Firepower Appliance

Marius Gunnerud — Tue, 28 Jun 2022 08:43:23 GMT

Well there really isn't much to it since these are in an HA setup. Here is a walkthrough from the FTD7.1 configuration guide

Step 1	If the unit you are replacing is functional, ensure that you fail over to the peer unit, then use the shutdown command from the device CLI to bring down the device gracefully. If the unit is not functional, confirm that the peer is operating in Active mode. If you have Administrator privileges, you can also enter the shutdown command through the FDM CLI Console.
Step 2	Remove the unit from the network.
Step 3	Install the replacement unit and reconnect the interfaces.
Step 4	Complete the device setup wizard on the replacement unit.
Step 5	On the peer unit, go to the High Availability page and copy the configuration to the clipboard. Note whether the unit is the Primary or the Secondary unit. If there are any pending changes, deploy them now and wait for deployment to complete before continuing.
Step 6	On the replacement unit, click Configure in the High Availability group, then select the opposite unit type from the peer. That is, if the peer is primary, select Secondary, if the peer is secondary, select Primary.
Step 7	Paste in the HA configuration from the peer, then enter the IPsec key if you use one. Click Activate HA. Once deployment is complete, the unit will contact the peer and join the HA group. The active peer's configuration will be imported, and the replacement unit will be either the primary or secondary unit in the group, based on your selection. You can now verify that HA is operating correctly, and if desired, switch modes so that the new unit is the active unit.

https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-ha.html#id_72193