Hi,
Personally I haven't had to do this kind of change. When interfaces have changed it has almost always been a larger change where some downtime was to be expected.
You could maybe do it like this
- Remove the secondary unit from the network and remove the Failover configurations (I think you can leave the standby IP configurations intact, but not 100% sure)
- Change the DMZ configurations and physical connections to the new port. You will also need to issue all the "nameif" related commands again (like NAT commands and attaching ACL to an interface and so on.
- Configure the new Failover link
- Perhaps even clear the configurations on the former secondary unit and configure it with just the failover configurations and let it copy the settings from the primary/active unit when its (secondary ASA) connected to the network.
Ofcourse youve better backup the original situation/configuration and also gather all the configurations related to the DMZ interfaces "nameif" since you will loose all those when moving the interface configurations (you cant change the nameif to another interface/subinterface without losing the related configurations as the ASA wont let you name another interface with the same "nameif" if one already excists)
- Jouni