Cisco CSR 1000v Series Cloud Services Routers Overview


Explore the Content Hub, the all new portal that offers an enhanced product documentation experience.

  • Use faceted search to locate content that is most relevant to you.

  • Create customized PDFs for ready reference.

  • Benefit from context-based recommendations.

Get started with the Content Hub at to craft a personalized documentation experience.

Do provide feedback about your experience with the Content Hub.

Virtual Router

The Cisco Cloud Services Router 1000V (CSR 1000V) is a cloud-based virtual router that is intended for deployment in cloud and virtual data centers. This router is optimized to serve as a single-tenant or a multitenant WAN gateway.

When you deploy a CSR 1000V instance on a VM, the Cisco IOS XE software functions as if it were deployed on a traditional Cisco hardware platform. You can configure different features depending on the Cisco IOS XE software image.

Secure Connectivity

CSR 1000V provides secure connectivity from an enterprise network such as a branch office or a data center, to a public or a private cloud.

Software Images and Licenses

The following sections describe the licensing and software images for CSR 1000V.

Cisco CSR 1000V Evaluation Licenses

Prior to Release 3.13, Cisco provided a built-in evaluation with the CSR 1000V instance, where you could use the Premium Technology Package at a maximum throughput of 50 Mbps for 60 days. With Release 3.13 and later, Cisco has moved to a self-service model to provide the flexibility of trialing additional technology packages and higher throughputs.

Evaluation licenses are valid for 60 days and are available with a valid Smart Account. To request an evaluation license, contact Cisco or a qualified Cisco partner.

The following evaluation licenses are available:

  • IPBASE technology package license with 10 Gbps maximum throughput

  • SEC technology package license with 5 Gbps maximum throughput

  • APPX technology package license with 5 Gbps maximum throughput

  • AX technology package license with 5 Gbps maximum throughput

If you need an evaluation license for the Security technology package, or for an AX technology package with higher throughput, contact your Cisco service representative.

For instructions on obtaining and installing evaluation licenses, see the Installing CSL Evaluation Licenses for Cisco IOS XE 3.13S and Later section in the Cisco CSR 1000v Software Configuration Guide .

Cisco CSR 1000V Software Licenses

Cisco CSR 1000V software licenses are divided into feature set licenses. The supported feature licenses depend on the release.

Current License Types

The following are the license types that are supported in Cisco IOS XE Everest 16.4.1 and later:

  • IPBASE: Basic Networking Routing (Routing, HSRP, NAT, ACL, VRF, GRE, QoS)

  • SEC (Security): IPBase package + Security features (IP Security VPN, Firewall, MPLS, Multicast)

  • AX: IPBase package + Security features + Advanced Networking features (AppNav, AVC, OTV and LISP)

  • APPX Package: IPBase package + Advanced Networking features - Security features (IP security features are not supported in this package)

Legacy License Types

The three legacy technology packages - Standard, Advanced, and Premium - were replaced in Cisco IOS XE Release 3.13 with the IPBAsE, SEC, and AX technology packages.

Features Supported by License Packages

For more information about the Cisco IOS XE technologies supported in the feature set packages, see the overview chapter of the Cisco CSR 1000v Series Cloud Services Router Software Configuration Guide.


The Cisco CSR 1000V router provides term subscription licenses that support the feature set packages for the following maximum throughput levels:

  • 10 Mbps

  • 50 Mbps

  • 100 Mbps

  • 250 Mbps

  • 500 Mbps

  • 1 G bps

  • 2.5 Gaps

  • 5 Gbps

  • 10 Gbps (IPBASE only)

The throughput levels are supported for different feature set packages in each version. For more information about how the maximum throughput levels are regulated on the router, see the Cisco CSR 1000v Cloud Services Router Software Configuration Guide.

Memory Upgrade

A memory upgrade license is available to add memory to the Cisco CSR 1000V router (Cisco IOS XE 3.11S or later). This license is available only for selected technology packages.

Additional Information about Licenses and Activation

For more information about each software license, including part numbers, see the Cisco CSR 1000v Router Datasheet. For more information about the standard Cisco IOS XE software activation procedure, see the Software Activation Configuration Guide, Cisco IOS XE Release 3S.

Software Image Nomenclature for Installation Files

The Cisco CSR 1000V installation file nomenclature indicates properties supported by the router in a given release.

For example, these are filename examples for the Cisco IOS XE Amsterdam 17.2.1 release:

  • csr1000v-universalk9.17.02.01.ova

  • csr1000v-universalk9.17.02.01.iso

  • csr1000v-universalk9.17.02.01.qcow2

The following table lists the filename attributes along with its properties:

Table 1. OVA Installation Filename Attributes

Filename Attribute



Specifies the package that you are installing.


Indicates that the software image is mapped to the Cisco IOS XE Amsterdam 17.2.1 release.

New and Enhanced Features for Cisco IOS XE Amsterdam 17.3.x

New and Enhanced Features for Cisco IOS XE Amsterdam 17.3.x

The following are the new CSR 1000V software features for Cisco IOS XE Amsterdam 17.3.1 release:


Cisco IOS XE Amsterdam 17.3.1a is the first release for Cisco CSR 1000V Router in the Cisco IOS XE Amsterdam 17.3.1 release series.

  • Support for Azure-PMD (Poll Mode Driver): You can now enable the Azure-PMD functionality for Cisco CSR 1000V instances running on Microsoft Azure. This functionality offers a faster, user-space packet processing framework that bypasses the VM's kernel network stack to increase the speed of network traffic. In a typical packet processing that uses the kernel network stack, the process is interrupt-driven, which involves context switching from the kernel space to the user space. Azure-PMD eliminates this context switching and the interrupt-driven method in favor of a user-space implementation that uses poll mode drivers for faster packet processing.

  • Configure IP Multicast over Unidirectional links for PIM: Unicast and multicast routing protocols forward data on interfaces from which they have received routing control information- this requires a bidirectional link. However, some network links are unidirectional, where the physical send-only interface is on the upstream router and the physical receive-only interface is on the downstream router. To control routing information in these unidirectional environments, you need to enable the IP multicast over UDL functionality. To enable this functionality, you can now configure a UDL routing tunnel as a unidirectional generic routing encapsulation (GRE) tunnel and map this to a one-way satellite link, which in turn enables the associated unicast and multicast routing protocols to treat the UDL as a bidirectional link.

  • Support for KVM (RHEL) 7.5 and 7.7 and ESXi 6.5 and 6.7.

  • Support for openconfig-lldp 0.2.1: From the Cisco IOS XE Amsterdam 17.3.1 release, the openconfig-lldp 0.2.1 is supported. No additional configuration is required.

  • Show platform resources command: The existing show platform resourses command now includes the following extension keywords to help you gather more information on platform resource utilization: R0, R0 cpu, R0 memory, exmem, datapath, and datapath oversubscriptions.

  • Show packet tracer command: The output of the show platform packet-trace command now includes additional trace information for packets either originated from IOSd or destined to IOSd or other BinOS processes.

  • Enable debug information for Multicast: The following debug commands are introduced to enable the debugging information for Multicast via CONFD/NetConf:

    • debug platform condition feature multicast controlplane level

    • debug platform condition interface gigabitEthernet 0/0/1.2 ipv4 access-list mcast

    • debug platform condition feature multicast dataplane v4mcast submode

    • debug platform condition feature multicast dataplane v6mcast submode

  • New cipher suites for IP ssh Client and Server Algorithm: You can configure the HMAC algorithm of or as a cryptographic algorithm. These cipher suites can be used with the ip ssh client algorithm mac and ip ssh server algorithm mac commands.

  • CUBE: Up to 100 VRF Instances: The current support limit is 54 VRF instances on a CUBE box. This requires customers to purchase additional hardware to meet requirements. For deployments such as HCS that need to support greater number of tenants per box, the limit of VRF instances is enhanced to 100 with this feature. Also, support is introduced for this feature in CUBE Enterprise with this release.

  • CUBE: Dial Peer Binding with Live Traffic: The Live Bind feature allows you to either change or add binding on a dial-peer that does not have any active calls, while other dial-peers with the same binding has active calls.

  • CUBE: Media Proxy Multi-forking using SIPREC: With this feature, the SIPREC-based CUBE Media Proxy solution supports forking to multiple recorders.

  • CUBE: OPUS Codec Negotiation: With this feature, support is introduced for OPUS audio codec with CUBE.

  • CUBE: TLS Server Name Indication (SNI) - RFC6066: With this feature, support is introduced for Server Name Indication (SNI). SNI is a TLS extension that allows a TLS client to indicate the name of the server that it is trying to connect during the initial TLS handshake process.


When you execute the show tech-support command multiple times in an oversubscribed environment, it might cause the device to lose ssh connectivity. If this occurs, reload the device and ensure that the environment is not oversubscribed.


When you upgrade from one Cisco IOS XE release to another, you may see a %Invalid IPV6 address error in the console log file. To rectify this error, enter the global configuration mode, re-enter the missing IPv6 alias commands, and save the configuration. The commands are persistent on subsequent reloads.


Some YANG models are not fully compliant with all the IETF guidelines. The errors and warnings shown while executing pyang with -–lint flag is currently deemed to be non-critical as they do not impact the semantic of the models or prevent the models from being used as part of the toolchains. To determine the issues with the models, run the script with --lint flag enabled.

It is recommended to ignore LEAFREF_IDENTIFIER_NOT_FOUND and STRICT_XPATH_FUNCTIONS errors types when running pyang for validation as they are non-critical errors and doesn’t impact the YANG model functionality.

Resolved and Open Bugs for Cisco IOS XE Amsterdam 17.3.x

Using the Cisco Bug Search Tool

About the Cisco Bug Search Tool

Use the Cisco Bug Search Tool to access open and resolved bugs for a release.

The tool allows you to search for a specific bug ID, or for all the bugs specific to a product and a release.

You can filter the search results by the last modified date, bug status (open or resolved), severity, rating, and support cases.

Open Bugs for Cisco IOS XE Amsterdam 17.3.1

Caveat ID Number



CSR1000v may unexpectedly reload (or hang) due to keepalive failures


C8000v not booting up in Azure if assigned IPaddr to Gig1 Interface

Resolved Bugs for Cisco IOS XE Amsterdam 17.3.1

Caveat ID Number



Fix for kernel driver issue causing wake up for empty block, packet too large to process


CSR Gig3 Interface not created even after ENI is attached to VM instance in AWS


CSR on AWS - PAYG Broken in 17.1, 17.2, and Polaris


Custom Data: bash/python scripts in Scripts section does not execute


CSR stuck in Bootloop while upgrading to 17.2.1r on Azure.


vmxnet3 vnics need ability to set MTU

Resolved Bugs for Cisco IOS XE Amsterdam 17.3.2

Caveat ID Number



ASR1002X lost all configuration after upgrade from 16.12 to 17.3.


GRUB2 Arbitrary Code Execution Vulnerability.


Memory leak upon ssh/scp connections to a router.

Open Bugs for Cisco IOS XE Amsterdam 17.3.3

Caveat ID Number



Crash at the moment of calculating tcp header


Netflow crash at fnf_ipv6_output_feature_final_internal with flow record on IPv6 IPsec tunnel


NETCONF ACL not working if ACL is referencing an object-group


Clients using DHCP Server Port-Based Address Allocation not getting IP address


ucode crash with firewall timer lock


BGP-neighbor down when push banner configuration failure


IOS-XE Memory Leak in SSS Manager


Router crash observed when AppNav Cluster delete with service-insertion enabled on LAN interface


FMAN_rp: qos_hqf [L:1.0, N:0x3485061e18 ] (0p, 0c) download to FP failed resulting in a crash


IP PIM SPT-threshold infinity causes ICMP Echo Replies to not be generated for IP Multicast Requests

Resolved Bugs for Cisco IOS XE Amsterdam 17.3.3

Caveat ID Number



Mishandling of dsmpSession pointer causes a crash


Static routes pointing to interface tunnel not valid after tunnel's source interface flaps.


IOSD crash due to segmentation fault at SISF Main Thread


Crash in sre_dp_traverse_dfa_legacy as SIP invite messages crosses a GRE Tunnel


Cloud Express probes fails when two default rules are present


Traceback: IP SLA triggers INJECT_HDR_LENGTH_ER and INJECT_FEATURE_ESCAPE log message


Crash seen in isis_sr_uloop_lspdb_dump with 'debug isis microloop' enabled


BGP: advertised community list is malformed due to GSHUT community


No responder-bytes from cEdge when UTD is enabled


Router may crash when using Stateful NAT64


GETVPN: All GM will crash when Primary KS recovers its COOP role after network outage


Moving PC from network causes static DHCP binding to be removed from the device.


"platform ipsec reassemble transit" tail-drops unencrypted IPv4 Fragments with specific payload


DMVPN with ipv6 link-local address do not register to HUB


Router might crash after apply a class-map in input direction with bandwidth percentage


NAT64 ALG: Router crashes on nat64_process_token


Passive FTP doesn't work with NAT


Crash in TCL Bytecode When Running RA Trace in Guestshell Python


Device Template failing to attach after changing few device variables


Smart license registration through explicit mode proxy server


[EVPN RT2-RT5] After few host moves RT2-RT5 re-origination happens even when there is no Remote RT2


MACSEC MKA stops forwarding data after every 3rd rekey


ip-acl errors of correcting the logic of sequence id when there is an error with msg creation


EVPN Type-2 IP/MAC route is created for not-connected SVI


Unexpected reload in NHRP when access to an invalid memory region


APPNAV CFT crashes


Pseudowire interface may be unexpectedly removed from VFI on unrelated configuration change


OMP-Agent Routes in EIGRP changes AD to 252 on non-SDWAN devices


CPP ucode crash with fw_base_flow_create


SSH with Certificate authentication doesn't work after upgrade to 17.3.1


HSL Export over VASI Interface causes Netflow v9 Template Flooding


unable to transfer 1500 byte IP packet when using BRI bundled Multilink


RP went down due to __be_iosd_rec_malloc_free_before


[SIT]: BFD sessions not established between Edges, with UTD enabled


Dynamic Nat pool "ip aliases" are not created on the device


LMR Unable to hear first seconds of audio


FlexVPN reactivate primary peer feature does not work with secondary peer tracking


Throughput license grace period starts counting down after upgrade router software


OpenSSL vulnerability (CVE-2020-1971) evaluation for IOS-XE


Router may not send PIM Register message if RP is reachabile over TE tunnel


BGP AS-path prepend: cEdge won't update correctly better prepended route.


Device is crashing after Device Access Policy is attached


DDNS feature triggers crash on 16.X/17.X releases due to memory corruption


Crash wile configuring l2vpn evpn instance for VXLAN


Decouple mac aging from ARP aging on vlans not using the centralized gw feature


BGP IPv6 link-local session doesn't come up


Not able to create VFI instances


Memory Lock and system crashed while clearing ip access-list stats.


ISIS crash in isis_sr_tilfa_compute_protection


Control plane hitting EID prefix entry limit for MAC after upgrade

Open Bugs for Cisco IOS XE Amsterdam 17.3.4

Caveat ID Number



DMVPN - after removing IPSec, traffic is dropped on a tunnel interface


Data consistancy errors seen on configuring mac-sec on the underlay interface with ipsec configured


unexpected reload due to Crypto IKEv2 process


Watchdog timeout due to Crypto IKMP


can not update local-address in a crypto keyring


crypto ikev2 proposals are not processed separately


cEdge-policy: set next-hop-ipv6 is not working next-hop-ip (ipv4) is working.


Crash when issuing "show crypto isakmp peers config"


IKE should have a mechanism to alert or mitigate resource exhaustion due to QM flooding


cEdge ipv6 netflow with high scale flows FNF does not working


fman_rp: qos_hqf [L:1.0, N:0x3485061e18 ] (0p, 0c) download to FP failed resulting in a crash.


%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed due to ip rtp header-compression iphc-format


IKEv1 IPSec CAC (Call Admission Control) counter leak leading to %CRYPTO-4-IKE_DENY_SA_REQ


CSR in Azure can fail to authenticate using AAD


CSR crashes after oce_lookup_one_adj_id_handle while reading emu_mem.


Removal of 'set reverse-route tag xxx' removes 'reverse-route' config from crypto map


SDWAN: Cisco 1000v Series CSR deployed in Microsoft Azure throwing continuous errors on consol.


Cisco 1000v Series CSR/Cisco 8000v Series CSR: Console Port Access change CLI does not work in CONTROLLER mode


CPP Crash While Freeing CVLA Chunk


Data-policy local-tloc with app-route is dropping packets when SLA is not met


Cisco 1121 ISR router multiple crash. - session hash corrupted


Cedge : Cloudexpress Office 365 probes are hitting 100% loss


ccedge Cisco 1121-4P CSR crahed with Localsoft error


URL Filtering regex pattern match not working on large pattern


cEdge QFP starts dropping traffic - UTD Service Node not healthy ident


Qos download failed with FW policy when rebooting device


cEdge: High CPU usage due to Multicast and Data Policy configuration.


Unable to fetch eigrp prefix, nexthop, omptag, and route origin

Resolved Bugs for Cisco IOS XE Amsterdam 17.3.4

Caveat ID Number



cedge is sending incorrect if index values for the sub-interfaces.


App-aware policy need to be honored when queuing is not set by localized policy


Pre-mature session deletion leading to churn and lower TPS at scale


BFD sessions go down on Service VPN after UTD is enabled on cEdge


Cisco 1111 CSR vtcp may cause packet drop for sip packets causing phones to reset


Multiple crashes cpp_cp_svr and qfp-ucode on 16.12.4


AWS:Cisco 8000kv CSR crashed and reboots if shut/no shut an interface a number of times


Cisco 1000v CSR crashing frequently with Critical software exception error.


cEdge running 17.3.2 crashed - Critical software exception / IOSXE-WATCHDOG: Process = SNMP ENGINE


SDWAN custom policy that does not looked to be programmed correctly on the cedge platform


FW-4-ALERT_ON: (target:class)-():getting aggressive seen when no half open feature configed


Wrong reload reason reflected after a power outage.


Removing and Adding Bulk ACL leads to dataplane programming failure


Zone Based Firewall on cEdge router dropping web traffic with the reason Zone-pair without policy


Cisco 1000v CSR: Crashes during reg_invoke_iosxe_license_export_controlled_enforcement_bypass


SIT 17.5.1 02/01: Stby switch reloaded due to config mismatch during telemetry push from DNAC.


cannot apply ciscosdwan.cfg due to vpg-log-server-acl ACL on VirtualPortGroup0 for logging


For-us Icmp packets are collected by cflowd which against the data-policy


Crash when TPOOL is updating and 'wr mem' is issues at same time


ZBFW blocking ACK packets for applications using cloudexpress SaaS set to use a Gateway with synsent


Data plane VPLS traffic generating Control Word on all Label Switched Headers


"show sdwan policy service-path/tunnel-path" command cause device crash


[DMM/SLM test issue] CFM crash when using physical port, DMM/SLM doesn't work on EVC


custom app not getting detected after attached removed and re-attached- app-visibility is disabled


[17.5] Router crashed when sending traffic through non-SDWAN interface with DIA NAT + debug enabled


An IOS XE device might crash at DoubleExceptionVector


SDWAN cedge : traffic simulation tool shows traffic blackhole


Cisco 1000v CSR Multicast Over OTV Not Forwarding


Packets dropped due to firewall + data policy interop issue


SCEP: CA server fails to rollover CA certificate with error: "Storage not accessible"


vtcp frees rx buffer when packet with expected next sequence arrives with no payload; phones reset


Config out of sync after upgrading to 17.4.1


Security container is dropping legitimate FIN,ACK Packets


IOS-XE cpp ucode crash with fragmented packets


Signature update failure - SSL-CERTIFICATE_VERIFY_FAILED