I do not believe there are any preemption options for the gateway. Failover from the primary to secondary works because the client will automatically try to reconnect when is loses connection to the gateway, so it will test the primary, find it is unreachable, and then fail to the secondary. But when the primary comes back up it is already connected (to the secondary) gateway), so there is no reason to retest. Clients should automatically return to the primary gateway when the maximum VPN lifetime expires, though this may take considerable time (I believe the default is 30 days).
Some options might be: decrease the VPN lifetime; tell clients to manually switch back to the primary; or block the secondary gateway to force clients back to the primary.
... View more