Dual Internet VPN failover

Scenario 1: 

Both HQ  and remote sites have dual Internet connections. 

Two VPN tunnels are created as following:

Local ISP <--> Remote ISP1

Local ISP2 <--> Remote ISP2

This is to simplify the topology and configuration, no cross VPN tunnel between ISP1 and ISP2.

 Fortigate

remote network static route on VPN1 has default AD 10,  on VPN2 has AD 15.

link monitor (over VPN) is created on both Fortigate, source from VPN interface, ping is between LAN interface IPs.  

HQ-FortiGate # show system link-monitor 
config system link-monitor
    edit "VPN1"
        set srcintf "ToRemote1"
        set server "10.20.1.254"
        set source-ip 10.10.1.254
    next
end

Link status can be seen in GUI SDWAN Widget

When ISP1 fails, Fortigate may not be able to quickly detect VPN is down by DPD, but link monitor will fail, which will bring down the primary static route, secondary static route will kick in.

Scenario 2: 

HQ has dual Internet circuits,  and remote site has single Internet circuit.

Two VPN tunnels:

HQ ISP 1 <--> Remote ISP1
HQ ISP 2<--> Remote ISP1

VPN2 has higher AD 15

make sure DPD is set to "On Idle" to enable it if both sides are Fortigate. 

When HQ ISP1 is down, with DPD, failover to VPN2 takes more than one minute.

With link monitor create over VPN1, when ISP1 down, failover to VPN2 only causes one ping packet lost.