the site is not load balancing; it is failover only with preemptive fallback to the primary circuit when it is restored. They understand that the tunnels will go down for potentially several minutes during such an event but want them to come back up automatically, without manual intervention if the primary WAN link fails (as the main Sonicwall tunnels would to their remote fixed IP sites).
As a test we set up a 1:1 NAT on the NSA2600 from an available public IP to the MX LAN IP. Still kept getting unfriendly NAT but the test tunnel from a Z1 teleworker came up with both ends set to autoVPN. Of course setting up the 1:1 NAT tied the setup to the primary WAN (their secondary only has the one public IP address available in any case so we can't set up 1:1 for it).
After working with phone support (who could not determine why we were still getting the NAT unfriendly warning after several packet capture analyses) we're staying with this setup; a failover will be tested when the customer can handle the likely downtime. We tried setting a temporary hard route on the NSA2600 for the MX to use the secondary WAN exclusively; it stayed showing unfriendly NAT and the tunnels would not start.
So far as we can tell, you cannot set up site to site VPN using manual port forwarding to work with dual WANs with failover; you can enter only one public IP address. Switching would be a manual operation via the dashboard, or using the API if that particular action is supported (I have not looked).
I never thought about the UDP timeouts. The default on the Sonicwall is 30 seconds; I don't see any docs that indicate that changes with a 1:1 NAT configuration. However we can increase the timeout substantially; I think this firewall/firmware can support up to 3600 seconds. We'll give that a try.
Thanks for responding