After replacing the Primary and restoring from the Replica, RSA authentication does not work
The Primary needs a new RSA "node secret".
On the RSA server each of the appliances in the pair should be configured to have their own node secret. The RSA configuration information uploaded to the appliance is copied in backups and the DR process but not the node secret. When each appliance connects to the RSA server for the first time a node secret is established and stored on the appliance. When an RMA is performed the new appliance doesn't have that node secret so at the RSA server the customer should uncheck the box that a node secret exists for that appliance so that the next time the new appliance connects to the RSA server a new node secret is generated.
The sdopts.rec is only needed in the event the RSA server is not recognizing the communication, usually because the agent has more than one ip address. The TPAM should be tried without using it first; it should establish the connection fine without this file. There is no way to have two ip addresses in the file, since its job is to say which of its multiple ip addresses the agent is supposed to use to connect to the RSA server.