Interesting question... I am

aldrabkin · ‎03-21-2017

Hello! I have to Cisco ASA 5515 in Active/Standby mode.

Can in install Firepower module only in Active ASA?

Can i move SFR from Active to Standby if Active fails?

Thx in advance!

Rahul Govindan · ‎03-21-2017

Your ASA failover will also check the status of the SFR module as a part of its default checks. You can use "no monitor-interface service-module" if you want to avoid this check.

Plus you have an ASA5515. The SFR is not installed on a separate hardware module slot as the ASA5585. You cannot move that from one ASA to another. You would have to install it on the Standby ASA also.

aldrabkin · ‎03-21-2017

Hi, Rahul. Thx for your answer.

The SFR is not installed on a separate hardware module slot as the ASA5585, but SFR is installed on separate SSD disk. So can i remove SSD and insert it to another ASA?

It can be useful when i want to replace my old Cisco ASA 5515 with a new Cisco ASA 5516-X.

fisko · ‎03-21-2017

Interesting question... I am not sure that your standby ASA will recognize preinstalled SFR module on SSD disk....best option is to try this and tell us what happened when you move SSD disk from one ASA to another...other issue could be ARP from network...you will get same IP for firepower on another MAC address....so try to clear arp on local L3 or FMC....and see will FMC see "new" Firepower

Marvin Rhoads · ‎03-21-2017

No you cannot just swap disks to move the installed sfr module from a 5515-X to a 5516-X (or any other scenario like an RMA of an ASA with FirePOWER service module).

The software module uses a combination of disk0 (internal disk) and the SSD to install and operate the FirePOWER service module.

Only by following the documented procedures to image, bootstrap, register and deploy policies to the module can you end up with a supported and properly operating configuration.

Firepower Active/Standby ASA