Well, time for me to ask a question. I've done the reasearch and can't find the answer anywhere and I don't yet have any practical experience in this situation (PIX failover).
I have a PIX 515 that is going to be upgraded to a pair of 515E's in a failover configuration. There are approximately 150 PIX 501's that each connect a VPN tunnel back to the 515 (this situation is a retail store chain, hence the large number of remote sites). I know that even with stateful failover, the IPSec information will not failover to the backup PIX 515E.
My question is, with Dead Peer Detection (isakmp keealives) will the remote 501's attempt to reconnect after they stop receiving a response to their keepalive packets ? I want the situation that if a failover occurs, then all of the store 501's will automatically attempt to reconnect again and so that when they do this, it will be to the standby PIX.