[northlandboy]

You should be able to do what you want. If you're re-establishing SIC, then state sync will probably be broken, and you might drop established connections when you switch VRRP priorities. If that's a major issue, you could always temporarily allow out of state connections.

But anyway, your process seems OK. When you raised the VRRP priorities of the secondary, what happened? Did the primary stay master, even with a lower priority? And did the secondary stay in backup? Look at the detailed VRRP view, which shows things like the effective priority, and who the firewall thinks the master is.

You may even want to check things on the wire with tcpdump, to look at the VRRP traffic.

You haven't mentioned what version of IPSO you're running, but if it's 3.7+, then IPSO monitors the firewall state, for VRRP. If certain things aren't right (fwd, cphad not running, sync not working, no policy), then the firewall won't go into VRRP master.

Check to see if sync is working or not - cphaprob state. It might not work, it's hard to say for certain. You may even need to do another cpstop;cpstart after pushing the policy out, to get things working happily, so that VRRP will think all is well, and let that node go master.