Ok, so I figured it out and thought I’d share my solution in case anyone else is having a similar issue with using a L2L VPN exclusively for backup traffic, i.e. not passing traffic so long as the primary MPLS path is available.
I’ll skip to the chase and point out this is what I was missing, which I’ve added in bold below
nat (inside,outside) 1 source static obj-site-2 obj-site-2 destination static obj-site-1 obj-site-1 no-proxy-arp route-lookup
Ok, basically NAT on an ASA influences routing. If you have a NAT statement, as I did above, without the keyword route-lookup then just by the mere existence of that NAT statement, the ASA will match packets against the source and destination portions of the NAT (obj-site-2 and obj-site-1, respectively) and if a match is found, it will route that traffic out the interface specified by the NAT.
In the example above, traffic coming from the networks specified in obj-site-2 and going to the networks specified in obj-site-1 will be routed out the outside interface. If you add the keyword route-lookup, then you tell the ASA to not automatically route out the outside interface and instead look to the route table for the traffic’s next-hop.
There’s one other command needed to make everything work, and that’s a floating static default to the outside interface. If the MPLS went down, then the route to site-1 would disappear. As such, we need this to push traffic out the outside interface, both for iNet destinations and Site-1 (which would then get matched by the crypto map and pushed out the VPN). Incidentally, part of the design was to backhaul iNet traffic over the MPLS, which is why I use a default route here.
ip route 0.0.0.0 0.0.0.0 <iNet_ISP_GW> 250
Below is a sanitized Visio of the design: