I believe we have currently have a similar setup between our A/A firwalls and a VMWare cloud setup. Previously we just used the VPN for some remote monitoring and return traffic but, due to an asymmetric route issue, we've got it setup to use the tunnel for bidirectional traffic. Each of my firewalls has a static route set for the appropriate network range with a next-hop as the tunnel interface. Looking at your diagram it got me wondering if I wouldn't see some dropped packets with my current deployment since the secondary firewall doesn't have an active IKE session and, therefore, the tunnel targeted in the next-hop wouldn't be active. Running a trace/ping test with WinMTR I can see my test go to the secondary firewall, followed by a "No response from host" entry, followed by the gateway for the remote cloud at the other end of the tunnel, and then the server. Theoritically I should occassionally see a new version of this test going to the active firewall instead but so far it's just been the secondary. I may be wrong but it seems like what may is happening here is that, like @reaper mentioned, the A/A firewalls act as one system so the secondary seems to be aware that it is not the one with the active connection through that tunnel at this time and moves the traffic over to the primary firewall (perhaps where I'm seeing the "No response from host") and then the traffic follows the static route and flows down the tunnel.
... View more