Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
0
Helpful
3
Replies

Replace a Failed Firepower Appliance

rkAtCisco
Level 1
Level 1

‎06-27-2022 02:54 AM

Hello Everyone,

 

I need some guidance on how to replace a failed Firepower Appliance. There is ton's of information on cisco.com for this but none of them provides a step by step procedure as we generally would find in the case of routers/switches etc.

 

So here it goes, we have two Firepower 4100s on our network which run an ASA as a logical appliance, the two ASAs form an HA pair. One of the Firepowers has failed and Cisco TAC have confirmed that the device need to be replaced.

 

As I am very new to these devices, it will great if the experts here can guide me to some documentation which can help with swapping the device without resulting an an outage.

 

Thanks and regards

RK

Labels:
0 Helpful
3 Replies 3

johnlloyd_13
Level 9
Level 9

‎06-27-2022 03:12 AM

hi rk,

since you've got a case opened with TAC, why don't you ask for their guidance/document/best practice directly from them?

this is what you've paid for.

0 Helpful

rkAtCisco
Level 1
Level 1
In response to johnlloyd_13

‎06-27-2022 03:18 AM

Hello johnlloyd_13,

 

I did, the issue is I have not received a response from Cisco TAC yet which I am happy with.

 

Historically, I have been able to get better solutions here rather than from Cisco TAC.

 

Regards

RK

0 Helpful

Marius Gunnerud
VIP
VIP

‎06-28-2022 01:43 AM

Well there really isn't much to it since these are in an HA setup.  Here is a walkthrough from the FTD7.1 configuration guide

Step 1

If the unit you are replacing is functional, ensure that you fail over to the peer unit, then use the shutdown command from the device CLI to bring down the device gracefully. If the unit is not functional, confirm that the peer is operating in Active mode.

If you have Administrator privileges, you can also enter the shutdown command through the FDM CLI Console.
Step 2

Remove the unit from the network.
Step 3

Install the replacement unit and reconnect the interfaces.
Step 4

Complete the device setup wizard on the replacement unit.
Step 5

On the peer unit, go to the High Availability page and copy the configuration to the clipboard. Note whether the unit is the Primary or the Secondary unit.

If there are any pending changes, deploy them now and wait for deployment to complete before continuing.
Step 6

On the replacement unit, click Configure in the High Availability group, then select the opposite unit type from the peer. That is, if the peer is primary, select Secondary, if the peer is secondary, select Primary.
Step 7

Paste in the HA configuration from the peer, then enter the IPsec key if you use one. Click Activate HA.

Once deployment is complete, the unit will contact the peer and join the HA group. The active peer's configuration will be imported, and the replacement unit will be either the primary or secondary unit in the group, based on your selection. You can now verify that HA is operating correctly, and if desired, switch modes so that the new unit is the active unit.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-ha.html#id_72193

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card