So what I did so far is increase from 3 to 60 ipsec retries and that kind of helped.
I have to understand which knobs I can use to adjust settings timing for RAPs. I am talking from RAP local perspective, right before firewall with 2 ISPs
My firewall kills all states on any ISP failure, so once it happens I have like 4 seconds outage then back online to secondary ISP (tested on wifi), then after 10 or 15 seconds wifi still works and then I loose another 10 pings (1sec interval) before APs readjust (I guess this is must be new IPsec tunnel using other active ISP, but why it worked 10 to 15sec before that happens?). Also I realized that I had preemption on with 60sec hold timer so after 60 seconds another outage but I got rid of it by increasing hold timer to sth like 600.
Do I really need to rebootstrap in case of failure of my RAP gateway? Can my ipsec reconnect seemlessly?