https://community.cisco.com/t5/network-security/convert-single-firepower-1120-into-an-ha-pair/m-p/5196553#M1115940 <P>First i would Draw a diagram that includes cables and Layer2 to connection to switch.</P> <P>I would go simple steps :</P> <P>1. take the configuration backup from exiting firewall and write the configuration on the Live one.</P> <P>2. New one upgrade the ASA code as same old one same, Make sure both same model and same code on both device.</P> <P>3. Configure the Interface and HA Links and switch configuration.</P> <P>Follow below guide lines :</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/ha-failover.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/ha-failover.html</A></P> <P>some example configuration you can follow :</P> <P><A href="https://www.packetswitch.co.uk/cisco-asa-active-passive-failover-example/" target="_blank">https://www.packetswitch.co.uk/cisco-asa-active-passive-failover-example/</A></P> <P>Note : before enable failover - check you have reachability between HA Link p2p IP ( so you are sure the connection reachable)</P> <P>If all&nbsp; good then when you enable failover on both unit you see below message as mentioned in the document :</P> <H4 id="ariaid-title32" class="title topictitle4">Running Configuration Replication</H4> <P><SPAN>Beginning configuration replication: Sending to mate,” and when it is complete, the ASA displays the message “End Configuration Replication to mate.” Depending on the size of the configuration, replication can take from a few seconds to several minutes.</SPAN></P> <P>&nbsp;</P> Thu, 19 Sep 2024 18:40:34 GMT balaji.bandi 2024-09-19T18:40:34Z https://community.cisco.com/t5/network-security/convert-single-firepower-1120-into-an-ha-pair/m-p/5196536#M1115939 <P>Hi</P><P>I have a single Firepower 1120 running ASA software which is currently in production and working fine. It has been decided to add a second 1120 and convert them into an HA pair running as active/standby for redundancy.&nbsp;</P><P>Can anyone advise if there is an established process for doing this when one of the firewalls is already live, and would it be possible to achieve without any downtime?&nbsp;&nbsp;The traffic volume is low and it only has a handful of firewall and NAT rules, no VPN.&nbsp;</P><P>&nbsp;</P> Thu, 19 Sep 2024 18:21:10 GMT https://community.cisco.com/t5/network-security/convert-single-firepower-1120-into-an-ha-pair/m-p/5196536#M1115939 graham robinson 2024-09-19T18:21:10Z https://community.cisco.com/t5/network-security/convert-single-firepower-1120-into-an-ha-pair/m-p/5196553#M1115940 <P>First i would Draw a diagram that includes cables and Layer2 to connection to switch.</P> <P>I would go simple steps :</P> <P>1. take the configuration backup from exiting firewall and write the configuration on the Live one.</P> <P>2. New one upgrade the ASA code as same old one same, Make sure both same model and same code on both device.</P> <P>3. Configure the Interface and HA Links and switch configuration.</P> <P>Follow below guide lines :</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/ha-failover.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/ha-failover.html</A></P> <P>some example configuration you can follow :</P> <P><A href="https://www.packetswitch.co.uk/cisco-asa-active-passive-failover-example/" target="_blank">https://www.packetswitch.co.uk/cisco-asa-active-passive-failover-example/</A></P> <P>Note : before enable failover - check you have reachability between HA Link p2p IP ( so you are sure the connection reachable)</P> <P>If all&nbsp; good then when you enable failover on both unit you see below message as mentioned in the document :</P> <H4 id="ariaid-title32" class="title topictitle4">Running Configuration Replication</H4> <P><SPAN>Beginning configuration replication: Sending to mate,” and when it is complete, the ASA displays the message “End Configuration Replication to mate.” Depending on the size of the configuration, replication can take from a few seconds to several minutes.</SPAN></P> <P>&nbsp;</P> Thu, 19 Sep 2024 18:40:34 GMT https://community.cisco.com/t5/network-security/convert-single-firepower-1120-into-an-ha-pair/m-p/5196553#M1115940 balaji.bandi 2024-09-19T18:40:34Z https://community.cisco.com/t5/network-security/convert-single-firepower-1120-into-an-ha-pair/m-p/5199269#M1116069 <P>Thanks, I followed the guidelines and was able to convert the single unit into an HA pair.</P><P>There was an outage of about 30secs after entering the "failover" command on the active unit whilst it negotiated with the new unit and then applied the active config again, but that's fine.</P> Thu, 26 Sep 2024 09:02:58 GMT https://community.cisco.com/t5/network-security/convert-single-firepower-1120-into-an-ha-pair/m-p/5199269#M1116069 graham robinson 2024-09-26T09:02:58Z