Thanks both @ww and @GreenMan . That architecture change more or less worked. Maybe a different thread for this but I noticed with this method I can no longer then do Local Internet Breakout (eg, for some traffic I want to break out locally on the VLANs where source based default route -> Hub has been applied) any solution to this? ... View more

So the VPN Hub has a static IP (VIP) and there will be NAT (SNAT/DNAT) to/from the VIP via a public IP from ISP X. I figure I will need to resolve the unfriendly NAT situation upstream with the static SNAT/DNAT so that works. May have figured this out myself - I will try creating two SNAT/DNAT rules upstream (Mapping to the MX VIP) one for ISP A and one for ISP B, with the outside interface specified per ISP, so that when the route fails over to ISP B, SNAT rule for ISP B will be followed. I just need to make sure I can resolve unfriendly NAT so I don't need to use Manual NAT traversal. ... View more