I have a weird one here that I have encountered several times though I want to try to get to the bottom of it.
I have two head end (HQ) routers that connect to numerous spokes. Each spoke has two "set peer" command in the "crypto map STEVE 1 ipsec-isakmp" menu. All spokes terminate on one headend router and the other is used for backup (with HSRP on the LAN client side). I use preshared keys.
All of this works fine. I have a ping going between a host at the Headend and a host on the spurs. I then switch off the primary headend router. What happens is that the ping stops and times out. However, if I then start a ping from the spur back to the client, everything starts to work again!!! It is almost as if the return path needs to be "requested" by the ping from the remote site. I am using straightforward crtypto maps here with preshared keys. Dead simple. I have noticed this on several occasions with different software. I am using 12.2.15.T5 at the moment.
Another thing. I have also used the HSRP redundancy feature since my "WAN" links are ethernet microwave links. Therefor the "WAN" uses a HSRP virtual adfdress referenced in the crypto map of the spurs. This works fine and is configured with preshared keys. Dead simple. However, I notice that oit can take about thrity seconds for the pings to come back if I power off the active headend router. I cannot see a way to get this time down. I have HSRP set up at the headend so that the "encryting" router is always the gateway router by tracking. Any ideas guys?