We setup a 1Gb Direct Connect to AWS with an IPSec tunnel for failover. We are running BGP across both for dynamic routing/failover.
When we take down the Direct Connect interface, traffic correctly fails over to the IPSec tunnel. The issue we're running into is when the Direct Connect comes back up. AWS starts routing over the Direct Connect but the Fortigate still has the IPSec tunnel in it's routing table.
As a test, we setup a prefix list and route map to adjust the metric from 20 to 30 on the routes received from the IPSec tunnel neighbor, but this didn't help.