Re: CSR1000 redundancy fails inside AWS VPC with no Internet access

raarons · ‎08-01-2017

We have a scenario which requires us to deploy multiple CSR1000V appliances as IPSec headend devices inside an AWS VPC subnet that has no internet or NAT gateway route (by design), and its only external connection is to a private network accessible via a virtual gateway and direct connect. The VPN functionality is working for us, but the failover event is failing as it's trying to post to the EC2 API for our region. There's a proxy in another subnet, which the CSR can access, but we're having trouble trying to configure the redundancy provider/http client to use that proxy. Enabling "debug ip http client all" and then instigating a failover event does yield logs of the http request, so we thought this could be achieved with the "ip http client proxy-server" setting, but it seems to be having no effect (there are no logs on the proxy indicating an attempt).

We've also considered adding a host entry on the CSR to map the API's fqdn to the proxy's internal ip address, and then enabling transparent proxying on the proxy server - unfortunately our proxy software doesn't support transparent proxying.

Does anyone know how to force the redundancy provider's http request to route via a proxy server?

d.oldfield · ‎01-11-2018

Did you ever resolve this? I have the same issue with cloud redundancy config in AWS regardless of whether using the new method or the older EEM way. The router will happily use the proxy for other HTTP traffic though.