Hi,

The failover is configured on port 0/8 on both firewalls and is directly connected. There doesn't appear to be any issues with that link, and the firewalls showed the config and ports looking as they should when i check with a "show fail" before performing the stateful failover. The initial stateful failover also worked without any issues (didn't lose a single ping to the internet) and it was at least 10 minutes before the primary then came back up and the issue occurred.

I've never seen this occur before and have performed numerous zero-downtime firewall upgrades both on this pair and many others and never had this outcome.

do this friend in both FW
interface GigabitEthernet1/8
no shut 

why would i need to no shut an interface that's already up?

Interface GigabitEthernet1/8 "Failover", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: LAN/STATE Failover Interface
MAC address cc16.7e98.dd1b, MTU 1500
IP address 172.16.254.1, subnet mask 255.255.255.252
18753 packets input, 2349476 bytes, 0 no buffer
Received 56 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
1465832 packets output, 1317433220 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 1 output reset drops
input queue (blocks free curr/low): hardware (1984/1918)
output queue (blocks free curr/low): hardware (2047/2008)
Traffic Statistics for "Failover":
18753 packets input, 2006214 bytes
1465832 packets output, 1291046460 bytes
0 packets dropped
1 minute input rate 1 pkts/sec, 129 bytes/sec
1 minute output rate 172 pkts/sec, 153593 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 184 bytes/sec
5 minute output rate 158 pkts/sec, 141132 bytes/sec
5 minute drop rate, 0 pkts/sec

Why would i need to no shut interfaces which are already up?

It defualt down not up' that why each fw not detect mate 

So just no shut it.

The ports are not in default and were up which is how the stateful failover occurred in the first place. the ports are live and were live when I initiated the failover otherwise I'd have not seen the standby unit as "standby ready".

Primary:

Interface GigabitEthernet1/8 "Failover", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: LAN/STATE Failover Interface
MAC address cc16.7e98.dd1b, MTU 1500
IP address 172.16.254.1, subnet mask 255.255.255.252
29222 packets input, 3681760 bytes, 0 no buffer
Received 59 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
2305301 packets output, 2075831472 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 1 output reset drops
input queue (blocks free curr/low): hardware (2011/1918)
output queue (blocks free curr/low): hardware (2047/2008)
Traffic Statistics for "Failover":
29222 packets input, 3149288 bytes
2305301 packets output, 2034334216 bytes
0 packets dropped
1 minute input rate 2 pkts/sec, 437 bytes/sec
1 minute output rate 138 pkts/sec, 122693 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 1 pkts/sec, 182 bytes/sec
5 minute output rate 136 pkts/sec, 121221 bytes/sec
5 minute drop rate, 0 pkts/sec

Secondary:

Interface GigabitEthernet1/8 "Failover", is up, line protocol is up
Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
Description: LAN/STATE Failover Interface
MAC address 0081.c450.607d, MTU 1500
IP address 172.16.254.2, subnet mask 255.255.255.252
2681082808 packets input, 2377976899072 bytes, 0 no buffer
Received 420 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
61111493 packets output, 7301123504 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 434 output reset drops
input queue (blocks free curr/low): hardware (2013/1889)
output queue (blocks free curr/low): hardware (2047/2027)
Traffic Statistics for "Failover":
2320992 packets input, 2004854428 bytes
29073 packets output, 3121166 bytes
0 packets dropped
1 minute input rate 133 pkts/sec, 115840 bytes/sec
1 minute output rate 1 pkts/sec, 120 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 135 pkts/sec, 117708 bytes/sec
5 minute output rate 1 pkts/sec, 182 bytes/sec
5 minute drop rate, 0 pkts/sec

please can you do this 
capture HA-link interface Failover match ip host 172.16.254.1 host 172.16.254.2
wait 5 min 
capture HA-link stop 
show capture HA-link 

check if both FW exchange hello message in time you do failover test. 
thanks 

Do i do this capture on the active firewall as i failover?

In any one'

Both FW send receive hello message.

I performed a stateful failover to secondary and reboot of primary standby without capturing to see if it was just a one off and lost service.

I then repeated this and captured the attached failover information.

Primary to secondary capture - just a standard stateful failover from primary active to secondary standby 

reboot of primary capture 1 - reboot of primary standby firewall - no loss of service

reboot of primary capture 2 - reboot of primary standby firewall - loss of service and primary became active itself.

There seems to be no issue with the failover link from these captures.

I'm at a loss as to why 2 out of 3 reboots of the primary standby causes loss of service. could it be a bug?

The ports are not default. The ports are live and being actively used to send the config to the standby. the failover link has to be working in order to perform a stateful failover, which it did. Entering no shut has no effect on interfaces already live.

IMO, having (any, any) in a NAT statement is always a misconfiguration.