BGP over IPSec - BGP routes inactive?

 One of my sites is using IPSec to grab BGP routes... as well as doing WAN failover. IPSec is working correctly, BGP routes get picked up fine, but the sites are inaccessible. The BGP routes display as inactive in the routing table. Traceroute to any of the BGP routes goes out over the normal external WAN.

These routes were only showing up under show ip bgp. I had to set ebgp-multihop 2 for these routes to display in the routing table.

ubnt@ubnt# run show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2> - selected route, * - FIB route, p - stale info
IP Route Table for VRF "default"
K    *> 0.0.0.0/0 [0/0] via pppoe0
S       0.0.0.0/0 [1/0] is directly connected, pppoe0
B       10.0.0.0/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.0.0.4/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.0.0.8/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.0.0.12/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.0.0.16/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.0.0.20/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.0.0.24/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.0.0.28/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.0.0.252/30 [20/0] via 172.20.0.254 inactive, 01:45:54
B       10.34.30.124/32 [20/0] via 172.20.0.254 inactive, 01:45:54
B       1.2.3.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       2.3.4.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
C    *> 127.0.0.0/8 is directly connected, lo
B       172.1.2.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.20.0.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.20.1.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.20.3.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.20.4.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.20.5.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.20.6.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.20.8.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.20.10.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
C    *> 172.20.11.0/24 is directly connected, eth0
B       172.21.1.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.21.3.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.21.4.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.21.5.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.21.6.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
B       172.21.8.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
C    *> 172.21.11.0/24 is directly connected, eth0.40
B       192.168.90.0/24 [20/0] via 172.20.0.254 inactive, 01:45:54
C    *> X.X.X.230/32 is directly connected, pppoe0
C    *> Y.Y.Y.9/32 is directly connected, pppoe0

Gateway of last resort is not set

[edit]

ip route show:

ubnt@ubnt# ip route show
default dev pppoe0  scope link
172.20.11.0/24 dev eth0  proto kernel  scope link  src 172.20.11.254
172.21.11.0/24 dev eth0.40  proto kernel  scope link  src 172.21.11.254
210.8.1.230 dev pppoe0  proto kernel  scope link  src 210.11.176.9
210.11.176.9 dev pppoe0  proto kernel  scope link
[edit]

.. vs. another directly-connected MPLS site - note all the correct 'zebra' routes:

ubnt@ubnt:~$ ip route show
default via 10.0.0.9 dev eth2  proto zebra
10.0.0.0/30 via 10.0.0.9 dev eth2  proto zebra
10.0.0.4/30 via 10.0.0.9 dev eth2  proto zebra
10.0.0.8/30 dev eth2  proto kernel  scope link  src 10.0.0.10
10.0.0.12/30 via 10.0.0.9 dev eth2  proto zebra
10.0.0.16/30 via 10.0.0.9 dev eth2  proto zebra
10.0.0.20/30 via 10.0.0.9 dev eth2  proto zebra
10.0.0.24/30 via 10.0.0.9 dev eth2  proto zebra
10.0.0.28/30 via 10.0.0.9 dev eth2  proto zebra
10.0.0.252/30 via 10.0.0.9 dev eth2  proto zebra
[...]
ubnt@ubnt:~$

BGP/static route config:

ubnt@ubnt# show protocols
 bgp 65009 {
     neighbor 172.20.0.254 {
         ebgp-multihop 2
         remote-as 65000
         route-map {
             export BGP-EXPORT
         }
         soft-reconfiguration {
             inbound
         }
     }
     network 172.20.11.0/24 {
     }
     network 172.21.11.0/24 {
     }
     parameters {
         router-id 172.20.11.254
     }
 }
 static {
     interface-route 0.0.0.0/0 {
         next-hop-interface pppoe0 {
         }
     }
     table 10 {
         interface-route 0.0.0.0/0 {
             next-hop-interface pppoe0 {
             }
         }
         interface-route 172.20.0.0/24 {
             next-hop-interface pppoe0 {
             }
         }
         interface-route 172.20.11.0/24 {
             next-hop-interface eth0 {
             }
         }
     }
     table 20 {
         interface-route 0.0.0.0/0 {
             next-hop-interface eth1 {
             }
         }
     }
 }
[edit]
ubnt@ubnt#

WAN failover config:

ubnt@ubnt# show load-balance
 group 4G_failover {
     interface eth1 {
         failover-only
         route {
             table 20
         }
         route-test {
             count {
                 failure 3
                 success 3
             }
             initial-delay 20
             interval 10
             type {
                 ping {
                     target 8.8.8.8
                 }
             }
         }
     }
     interface pppoe0 {
         route {
             table 10
         }
         route-test {
             count {
                 failure 3
                 success 3
             }
             initial-delay 20
             interval 10
             type {
                 ping {
                     target 8.8.8.8
                 }
             }
         }
     }
 }
[edit]
ubnt@ubnt#

Any ideas why this would not be working? I suspect something in the router-side BGP settings.

Thanks in advance.