I have a number of remote Juniper SRX sites that connect back to a data center. At the data center there are two Cisco routers. The SRX is configured with IPSec tunnels to both routers. OSPF is being used as the IGP. The goal is to have the remote SRX use the primary tunnel unless it is down, if it is it should use the secondary tunnel. What appears to be happening is that the SRX will just get stuck on one or the other. It will failover but if tunnel 1 comes back up, it won't switch back over to that tunnel, it will instead stay on number 2.
I figured that by using OSPF metrics I could direct which tunnel to use but that doesn't seem to work. What is the best method to achieve this? Should I use some kind of tracking mechanism (I'm thinking like Cisco IP SLA type of thing).