In the past I've done this by bouncing (restarting) the ISAKMP server and reloading the IPSec policies.
Both are achieved from the command line:-
- cf daemond restart agent=isakmp_daemon
- cf ipsec reload
If you are running version 7, you can restart the ISAKMP server service from the GUI, by navigating to Monitor -> Service status and then right-clicking on the "isakmp" service & selecting restart from the pop-up menu.
Sometimes restarting the process is enough, but as the man page for "cf ipsec" says, the reload function serves to :-
Reapplies the IPsec VPN definitions to the kernel and IKE server.
If IPsec state is out-of-sync with a peer, this command can be used to clear the current IPsec state and reapply the VPN definitions.
An optional flush key can be used to indicate whether or not current VPN IPsec state should be flushed from the kernel (default is flush=yes).
Hope that helps.
this mus be done on both nodes of the cluster (primary and standby)??
Based on your original description (only needing to re-boot the primary) I would have to say no.
But, as these commands take only a few seconds to run, I don't see any harm in running them on both nodes.