After the first transaction is completed, the remote server initiates another connection to our active load balancer over IPSEC.
However, if the entire zone goes down (10.4.0.0/24). Passive CSR takes over the elastic IP 220.127.116.11, but the encryption domain changes because it's in a different subnet. How do I ensure a transparent failover? We are going to have a few hundred VPN partners, getting them to change the encryption domain is going to be impossible if an AZ fails.
Should NATing be done on the passive CSR to make the fail over transparent to the remote parties ? Please let me know if you need any clarifications.
Please refer to diagram for better understanding.
Lastly, I have been trying to find Singapore reseller for this product, but didn't manage to do so.
I need someone who knows this product to quote me correctly. Please advise on this too.
1. 2 x Cisco CSR1000v (HA)
Reference from a previous post which is 1 year ago:
A person from Cisco has already posted this link before. It wasn't helpful as it doesn't apply to the scenario as mentioned in my first post. If you read my first post, you would have noticed that the failover is not possible.
Suppose there is 1 subnet in each availability zone (Zone 1A, Zone 1B), and you place an IP in Zone 1a to be part of the encryption domain. The whole subnet in Zone 1a becomes unreachable. All remote hosts on the remote end of the IPSec tunnels (300+ VPNs) will not be able to reach IP configured in Zone 1A. Failing over to Zone 1B would mean that all of the remote host would have to reconfigure their encryption domain / applications to connect to a host in Zone 1B, imagine 300 remote partners doing that. It's not feasible. Is there any simpler way to do that? We also need the VPNs to be in sync meaning configurations made to 1 CSR should sync its settings to the other.