Symptom
After creating a new route based tunnel the failover pair devices are not in sync.
The FDM shows Standby device is not in sync.
The "show crypto ipsec sa peer ..." on Primary shows VPN is established, but the same on Standby shows: "There are no ipsec sas for peer ...".
If failover happens in this state the new active unit needs to negotiate the VPN from a scratch.
Logs on Standby (in this case Primary Standby - configuration was done on Secondary Active) show:
May 14 2021 12:00:18: %FTD-5-720012: (VPN-Primary) Failed to update IPSec failover runtime data on the standby unit. Outbound SPI 0x50fcec7a
May 14 2021 12:00:18: %FTD-7-720042: (VPN-Primary) Receiving Sync IKEV2 Parent Msg ID message (IKEv2 Msg ID 75) from active unit
May 14 2021 12:00:20: %FTD-5-720012: (VPN-Primary) Failed to update IPSec failover runtime data on the standby unit. Outbound SPI 0x50fcec7a
May 14 2021 12:00:24: %FTD-5-720012: (VPN-Primary) Failed to update IPSec failover runtime data on the standby unit. Outbound SPI 0x50fcec7a
Conditions
FTD managed with FDM
Failover pair
route based VPN is configured
Workaround
Issue write standby on active unit - the VPN gets synced. Or pause HA on standby and resume it.
