just issue a "clear crypto isakmp" and "clear crypto sa" on the spoke(s). That will clear up the security association and resync with the new one with the hub. Moving forward, add the "crypto isakmp invalid-spi-recovery" command in your config.
Just a quick question, how would FW 2 be in a standby state if it is not HA pair to begin with? and how would your modem knows( unless it is a managed one) how to reroute inbound traffic to FW 2?
when you said "backup VLAN" you mean having a copy of your internal and DMZ servers backed up, should in case you lost your interner and DMZ servers file, on that vlan? was that your question?
