Physical Connectivity:
a> Site1-->Site2-->Site3
b> Site4-->Site5-->Site6
c> Site2-->Site5
d>Site3 & Site6 are internally connected on the same cloud.
S/w encryption has been enabled on Site1,Site3 & Site6. There are 2 tunnels. Primary is Site1---Site3.
By default packets will use this tunnel.The secondary tunnel is between Site1-->Site6. In case the link between Site2-->Site3 fails, data needs to be routed through secondary tunnel.
Problem :
1> The "Sh crypto isakmp sa" shows both SA's (for Primary and Secondary). And they show the status "deleted" alternatively, in a continous fashion. Sometimes in normal scenario, the packet takes the secondary tunnel, which is unwanted. It should go through this only when Site2-->Site3 link goes down.
2> When the link Site2-->Site3 fails, the secondary tunnel doesn't get estabilished automatically. I check using :Sh crypto ipsec . When i clear the primary tunnel using "Clear crypto isakmp sa" & "Clear Crypto sa", then only the secondary tunnel gets created and data routed, else not. I wnat that to happen automatically.