Today we had a memory problem on our ASA 5510’s. I had to do a passive reload, failover, then a primary reload. Luckily it fixed our problem, so I decided to write something simple up on how to do a graceful failover.
This assumes that your firewalls are already configured in an active/passive configuration. There are many Cisco documents on how to do this.
1. Save your configuration.
ASA(active)# copy running start
2. Failover your standby node.
ASA(active)# failover reload-standby
3. Verify status of your passive device.
ASA(active)# sh failover
4. If your secondary device is standby ready, you can failover the primary to it
ASA(active)# no failover active
Be careful of what device you are on at this point, if you connect via SSH to the same IP again you will be on the secondary-active node, but you already reloaded this one. Run a sh failover and get the IP of the Primary node in Standby Ready mode. Connect to that device.
5. Reload the primary device.
6. Once the primary is done reloading (sh failover), you can move back to the primary or leave it on the secondary. This step is up to you.
ASA(passive)# failover active
Refer to this article for the detailed write-up.