I had a full mesh setup using the old ScreenOS that experienced the same issue during failure scenarios. Because the metrics were the same for multiple paths, the traffic could run asymetrically when particular links were down.
I ended up chosing one site as a "primary" site. The connections to this site were pegged as a smaller cost that all the other links. But a direct link was still the best.
This made the two hop link through this site preferred over any other two hop link and kept traffic going in the same paths.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home
I thinnk that you should use slightly different link costs (the same on both ends of the link, but different for different links) to get a deterministic path selection and avoid asymetrical routing.
Multipoint (NHTB) will make your design cleaner but IMO it will not solve any of the asymetry problems. You will stil need dynamic or static routing and, consequently, you will have to solve the path selection problem.
NHTB will NOT take care of routing, it will take care of forwarding packets into different tunnels USING the information from the routing table. And that information must come from somwhere - from some dynamic routing protocol (usually ospf) or manual config (static).
I can give you one solution but it has one drawback if you are ok with it, it will fix your problem
Using source NAT interface for the VPN traffic will force your traffic to go back again to same path and avoid asymetric routing. The only drawback you hiding your real IP so not able to use policy for specific user in the remote site for example.
- If u put all st0 interfaces on one security zone (for example VPN zone).
so u need to configure source NAT interface from the trust --> to VPN zone
allowing one each site security policy for st0 interfaces IPs to access LAN. from VPN zone to trust zone.