[craxnet]

Hello.

we have built a route based topology network with our vpn satellites (NGX 60) and we want the routes to be switched automatically between two interfaces (VPN / WAN) in case of a connection breakdown. typicall failover.

so our core switches are distributing the networks to all communicating firewalls in this vpn. their are shown in ospf and also as ospf neighbours.

In some networks we implemented an windows domain controller (win2003 SP1) is the default gateway. this gateway decides when to use the path over the vpn tunnel or over the WAN connection.

our problem is now.
If the lan interface on the FW is going down the windows routing can notice that and switches over to the WAN router immedately. but if the internet connection with the vpn tunnel gets lost, nothing happens because the windows server can still "see" the lan interface.

so what can be do to change that?

if we place an additional interface into the firewall for WAN we create another single point of failure, and clusters are to exensive for this sites.

i hope anybody has a hint.