Thanks but I also came across that thread. As the author says, they too cannot find a standard procedure.

Thanks for the reply but I was after the config instructions.

Hello,

Here is roughly how I accomplish this:

1. Shutdown the SWITCH ports or physically remove the data cables from the failed unit and leave them disabled and disconnected. (Prevent Active/Active or other nonsense).
2. Replace the failed unit but ONLY plug in the failover cable, and not the data plane cables.
3. Configure the failover configuration on the standby unit but do not enable failover yet.

4. ! Presume the failover/crossover link is eth 0/3
   failover lan unit secondary
   failover lan interface FAIL eth 0/3
   failover key <Your_failover_Key_same_as_primary>
   failover replication http
   failover link FAIL eth 0/3
   ! Presume this unit's failover link IP address is 192.168.255.254 and the other unit is 192.168.255.253
   failover interface ip FAIL 192.168.255.253 255.255.255.0 standby 192.168.255.254
   ! we have not yet enabled failover!

5. Make sure the other unit is reachable over the failover link with a ping to the failover IP 192.168.254.253. Once you are able to ping the remote unit via the failover link, you can safely enable failover. Since our data interfaces are down, there should be no danger in the standby unit going active.

   failover

6. If things are working, you should see the "Detected active mate" message and a message about replicating the configuration. Issue a "show ip" and "show run" to verify that the configuration looks good.
7. re-enable the data-plane ports.

If this was helpful, please mark it as such and mark the question solved. Thanks!

-A

how about if failed unit is primary?

Same procedure except replace the word "secondary" with "primary". Those designations are more or less arbitrary since ASA HA doesn't have any concept of preemption. Either way the new replacement unit will detect an active mate and sync from it.

Dear Martin, 

So the replication of the configuration will happen from secondary unit to primary as well? Taken under consideration  that when the secondary unit is active all changes are replicated to primary unit , i presume the same for the failure scenario. 

Thank you for the useful information!

Replication occurs from the unit currently in the Active role to the in Standby role. That's independent of whatever one is designated primary or secondary.

Is it recommended to disable failover on the active unit while waiting for the replacement unit or does it matter if failover still is enabled on the active unit?

Thanks

/Chess

It does not matter. I had this issue 2 times and never had to disable failover. When the replacement unit arrives configure the failover Link and connect only that to the network. When the replication is done you can connect the other interfaces and check the failover status using show failover command. 

No need to failover to the replacement unit but i always do to check that it runs as it should. If you have a Firepower module it will need separate configuration. 

KR

hi Arron Hackney.

Could you update the replacement steps for ASA 5516 HA active/Standby pair with firepower? Thanks

@qi guo The ASA procedure is the same.

Note the Firepower service modules have no HA relationship between one another. If you have a Firepower service module then you need to reimage to match the version you had before, do the bootstrap configuration and configure any policy you had on it. If you are using FMC then it is as easy as re-registering and deploying the policies stored on FMC. If you were using ASDM management for the Firepower service module then you need to configure everything from the start manually.

do you have any configuration example to share? i am using asdm, no FMC. 

the question i still have are:

1.how to register the license of the new buy asa5516-x with firepower module? our environment is offline

2. as the firepower module of existing ASA55160-x never updated ios for a year, the new buy must have a different version. how to upgrade the existing one?

3.i have backed up the configuration of the existing firepower module. can i just deploy to the new buy to complete the firepower module configuration?

4. we bought the smartnet license for the new buy, how can i just register it into my smartnet account? do i just need the sale contract number and then contact Cisco?

Thx