pfSense

IPsec is running on a top of failover gateway group interface. DynDNS client entry updates on behalf of failover gateway group interface. Remote IPsec peer connects to DynDNS hostname.
When Tier1 WAN gateway fails, IPsec daemon begins to listen on Tier2 interface, DynDNS hostname gets updated with Tier2 WAN IP - connectivity restores successfully. But when Tier1 WAN gateway comes back online - IPsec tunnel continues to work on Tier2 WAN interface though DynDNS hostname resolves back to Tier1 WAN IP.

If it is an expected behavior please force IPsec service to start on a top of Tier1 interface when it comes back online. Or add a separate feature that makes it possible - like a cron script that checks every certain period of time if Tier1 WAN is up and if there is an active IPsec tunnel on Tier2 WAN. If both conditions are met - restart IPsec service in order to renegotiate P1 from Tier1 WAN

Invgate ticket for reference - 37090