Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1212
Views
0
Helpful
3
Replies

HA Cisco CSR 1000v is unable to failover transparently on AWS cloud

alanchia2000
Level 1
Level 1

‎11-10-2015 10:02 PM - edited ‎03-12-2019 07:20 AM

We have many remote VPN partners connecting to us using IPSEC.
Only 1 active CSR (10.4.0.0/24) would be active.
Traffic is first initiated from one of our web servers (www1 & www2) to the remote servers (192.168.1.1/32, 172.16.1.1/32) using the active load balancers IP - 10.4.0.2/24.
After the first transaction is completed, the remote server initiates another connection to our active load balancer over IPSEC. 
However, if the entire zone goes down (10.4.0.0/24). Passive CSR takes over the elastic IP 123.123.123.123, but the encryption domain changes because it's in a different subnet. How do I ensure a transparent failover? We are going to have a few hundred VPN partners, getting them to change the encryption domain is going to be impossible if an AZ fails. 
Should NATing be done on the passive CSR to make the fail over transparent to the remote parties ?
Please let me know if you need any clarifications. 
Please refer to diagram for better understanding. 
Lastly, I have been trying to find Singapore reseller for this product, but didn't manage to do so. 
I need someone who knows this product to quote me correctly. Please advise on this too.
1. 2 x Cisco CSR1000v (HA)
2. support 
Reference from a previous post which is 1 year ago: 
https://supportforums.cisco.com/discussion/12202491/does-csr-1000v-support-ha-feature-how
Labels:
Preview file
77 KB
0 Helpful
3 Replies 3

Nagaraj Arunkumar
Cisco Employee
Cisco Employee

‎11-12-2015 04:27 PM

Can you take a look at this and see if this is helpful:

http://www.cisco.com/c/en/us/td/docs/solutions/Hybrid_Cloud/Intercloud/CSR/AWS/CSRAWS/CSRAWS_4.html

0 Helpful

alanchia2000
Level 1
Level 1
In response to Nagaraj Arunkumar

‎11-15-2015 06:10 PM

A person from Cisco has already posted this link before. It wasn't helpful as it doesn't apply to the scenario as mentioned in my first post. If you read my first post, you would have noticed that the failover is not possible. 

Here's why

Suppose there is 1 subnet  in each availability zone (Zone 1A, Zone 1B), and you place an IP in Zone 1a to be part of the encryption domain. The whole subnet in Zone 1a becomes unreachable. All remote hosts on the remote end of the IPSec tunnels (300+ VPNs) will not be able to reach IP configured in Zone 1A. Failing over to Zone 1B would mean that all of the remote host would have to reconfigure their encryption domain / applications to connect to a host in Zone 1B, imagine 300 remote partners doing that. It's not feasible. Is there any simpler way to do that? We also need the VPNs to be in sync meaning configurations made to 1 CSR should sync its settings to the other. 

How can this be done ? 

0 Helpful

alanchia2000
Level 1
Level 1
In response to alanchia2000

‎11-30-2015 04:14 AM

Anyone can help on this ? 

0 Helpful
Customers Also Viewed These Support Documents