In this scenario, the site-to-site IPSec tunnel has been created as described in this document: Basic site-to-site VPN with pre-shared key, but the tunnel was still down.

The default routes were configured below: 

config router static  

    edit 1 

        set dst 0.0.0.0 0.0.0.0 

        set device wan1 

        set gateway <gateway_address> 

        set distance 10 

    next 

    edit 2 

        set dst 0.0.0.0 0.0.0.0 

        set device wan2 

        set gateway <gateway_address> 

        set distance 20 

    next 

end 

The distance of the wan2 route is 20. It is not active in the routing table, hence the IPSec tunnel is down, and it will not failover even if the primary IPSEC goes down. To have hot standby failover onto the secondary tunnel, both routes must be active.

To activate both routes in the routing table and still want wan2 as the secondary ISP, keep the distance the same and assign a higher priority number. 

Configure the wan2 default route :

config router static  

    edit 2 

        set dst 0.0.0.0 0.0.0.0 

        set device wan2 

        set gateway <gateway_address> 

        set distance 10 

        set priority 10 

    next

end

Note:

As both routes are already up, once the primary tunnel goes down and routes get removed from the routing table, the secondary tunnel is already on the routing table to fail over.

The default priority of an interface is 1. The lower the priority number, the higher the preference.

Related document: 
Manual redundant VPN configuration