Symptom
We confirmed an specific ASA HA pair situation from where a fail ASA in a failover due to "HA state progression failed" is not joining again to the failover, even though the failover link is recovered.
Here the detailed steps to reproduce this problem:
1.- We have two ASA in HA pair.
2.- When the active ASA is replicating the configuration to the secondary ASA, force a failover link to go to down state between the ASAs in the middle of the configuration replication process.
3.- Then, the primary ASA will remain working as active and after around 10mins the secondary will change from Sync Config to fail failover state due to "HA state progression failed".
4.- After this, force the failover link between the ASAs to go to upstate.
5.- Then, we confirmed the failover communication through the failover link is recovered, but even after this, the secondary ASA will never try to re-negotiate and join the failover any more.
6.- The final state for the HA pair will be primary-active and secondary-failed.
This bug is opened for asking the ASA developers to correct this behavior and allow the failed ASA in the failover to join the failover once the failover link is back to upstate after being in failed state due to "HA state progression failed"
Conditions
Two ASA in HA pair and failover link failure in the middle of the configuration replication between the Active and the secondary ASA.
AND
Secondary ASA with failover link in downstate for more than 10mins.
Workaround
Improve your failover link connectivity between the ASA in the HA pair by using any of the following methods:
1.- Failover link connected directly between the ASA in the HA pair and without intermediate switches.
2.- In case intermediate switches are required for the failover link connectivity, then consider a redundant connection with redundant interfaces or a port-channel.
