We have 2 ISPs at on-premises ISP1 and ISP2 in fortigate firewall.
Two IPsec tunnels are created from on-premises to azure for site-to-site connectivity per ISP each.
Azure VPN Gateway at cloud and Fortigate Firewall at onprem having connectivity using two different tunnels.
Both tunnels are in connected state 24x7 but at fortigate it is configured like if primary ISP's tunnel goes down then only on-premises traffic flow through the secondary ISP's tunnel even though both tunnels shows in connected state in azure.
But from azure side packets are flowing in both the tunnels and that's why whenever packets are routed through secondary tunnel then that will be dropped at on-premises side. so for temporary basis we have to down the secondary tunnel so that azure do not send data through that tunnel.
Is there any permanent solution for this issue? (we can not enable BGP since it is not supported in SKU we have, also can we achieve our goal via asymmetric routing or any other solution suggested to be configured at fortigate firewall?)