Screen OS

so I have two remote sites in which I am trying to setup redundant VPNs.  Site A has two ISPs and site B has only one.  I have configured two route based VPNs between site A and site B with site B having the two peers for each ISP at site A. My routes have a higher priority for the backup VPN on both sites and I am using track-ip at site A to down the interface for ISP 1 if it cannot talk.  My question is in regards to site B.  Assuming a failure condition at site A in which the primary interface is marked down and the routes failover to the secondary ISP, how does site B know to start routing across the higher preferenced backup tunnel?  Essentially the failure is only seen by Site A so Site B still thinks its routes are to ISP 1 even though the tunnel isnt up.  Is their a way to configure site B to only use the primary VPN if it has an active SA otherwise use the backup?  Hope this makes sense and I can attach some configs at a later date if needed.  Appreciate the help in advance.

Hi Bryan,

VPN monitoring does this job. Enable VPN monitoring and Rekey options on all IKEs. If VPN monitor fails because of failed SA the NHTB entry which maps the SA to the VPN route change it's status to Down and deactivate the associated VPN route. The NHTB entries are generated dynamically if both devices are SSGs. Otherwise you should configure them manually. I usually use the remote GW IP both as the next hop in the VPN route and as the NHTB entry. If remote GW has a numbered tunnel interface I use it's IP instead. The dynamically created NHTB entries are generated by ScreenOS in accordance with the described scheme.

I also recommend to enable VPN monitoring option "Optimized". This will prevent route flapping under a havy VPN traffic load.  

Thanks for the help.