Hello,
Short answer - this is expected NSSA border router behaviour in conjunction with Type-7 default route.
Long answer - You are into one of many peculiarities of OSPF NSSA. According to RFC 3101 https://tools.ietf.org/html/rfc3101 section 2.4:
A Type-7 default LSA for the network 0.0.0.0/0 may be originated into the NSSA by any NSSA router. The Type-7 default LSA originated by an NSSA border router must have the P-bit clear.
When You configure two NSSA areas in Your CPE, You make it a NSSA ABR. The NSSA ABR must not install routes with P-bit clear as per RFC 3101 section 2.5:
if the destination is a Type-7 default route (destination
ID = DefaultDestination) and one of the following is true,
then do nothing with this LSA and consider the next in the
list:
The calculating router is a border router and the LSA has its P-bit clear.And when You bring down one of the links, then Your CPE stops becoming an NSSA ABR and happily installs the remaining 0/0 route.
AFAIK, JUNOS does not have a knob to override this behavior.
You have 3 choices here:
1/ reconfigure Your MANs+CPE to use identical NSSA area on both links
2/ reconfigure MAN routers to send a Type-3 0/0 route into Your NSSA areas/to Your CPE.
3/ reconfigure Your CPE to use 2 different routing-instances for 2 links to MANs.
Finally, I strongly recommend NOT to use OSPF as PE-CE protocol at all, and this of course includes OSPF NSSA.
BGP is much less complex and far more flexible. JUNOS supports both eBGP and iBGP as PE-CE protocol.
You can use BFD with BGP to achieve very short timers not possible with OSPF.
HTH
Thx
Alex