Showing results for 
Search instead for 
Did you mean: 

HA Cisco CSR 1000v is unable to failover transparently on AWS cloud

We have many remote VPN partners connecting to us using IPSEC.
Only 1 active CSR ( would be active.
Traffic is first initiated from one of our web servers (www1 & www2) to the remote servers (, using the active load balancers IP -
After the first transaction is completed, the remote server initiates another connection to our active load balancer over IPSEC. 
However, if the entire zone goes down ( Passive CSR takes over the elastic IP, but the encryption domain changes because it's in a different subnet. How do I ensure a transparent failover? We are going to have a few hundred VPN partners, getting them to change the encryption domain is going to be impossible if an AZ fails. 
Should NATing be done on the passive CSR to make the fail over transparent to the remote parties ?
Please let me know if you need any clarifications. 
Please refer to diagram for better understanding. 
Lastly, I have been trying to find Singapore reseller for this product, but didn't manage to do so. 
I need someone who knows this product to quote me correctly. Please advise on this too.
1. 2 x Cisco CSR1000v (HA)
2. support 
Reference from a previous post which is 1 year ago: 
3 Replies 3

Nagaraj Arunkumar
Cisco Employee
Cisco Employee

Can you take a look at this and see if this is helpful:

A person from Cisco has already posted this link before. It wasn't helpful as it doesn't apply to the scenario as mentioned in my first post. If you read my first post, you would have noticed that the failover is not possible. 

Here's why

Suppose there is 1 subnet  in each availability zone (Zone 1A, Zone 1B), and you place an IP in Zone 1a to be part of the encryption domain. The whole subnet in Zone 1a becomes unreachable. All remote hosts on the remote end of the IPSec tunnels (300+ VPNs) will not be able to reach IP configured in Zone 1A. Failing over to Zone 1B would mean that all of the remote host would have to reconfigure their encryption domain / applications to connect to a host in Zone 1B, imagine 300 remote partners doing that. It's not feasible. Is there any simpler way to do that? We also need the VPNs to be in sync meaning configurations made to 1 CSR should sync its settings to the other. 

How can this be done ? 

Anyone can help on this ? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers