With rising concerns on user privacy over the Internet, anonymous communication systems that hide the identity of a participant from its partner or third parties are highly desired. Existing approaches either rely on a relative small set of pre-selected relay servers to redirect the messages, or use structured peer-to-peer systems to multicast messages among a set of relay groups. The pre-selection approaches provide good anonymity, but suffer from node failures and scalability problem. The peer-to-peer approaches are subject to node churns and high maintenance overhead, which are the intrinsic problems of P2P systems. In this paper, we present CAT, a node-failure-resilient anonymous communication protocol. In this protocol, relay servers are randomly assigned to relay groups. The initiator of a connection selects a set of relay groups instead of relay servers to set up anonymous paths. A valid path consists of relay servers, one from each selected relay group. The initiator explores valid anonymous paths via a probing process. Since the relative positions of relay servers in the path are commutative, there exist multiple anonymous yet commutative paths, which form an anonymous tunnel. When a connection encounters a node failure, it quickly switches to a nearest backup path in the tunnel through "path hopping", without tampering the initiator or renegotiating the keys. Hence, the protocol is resilient to node failures. We also show that the protocol provides good anonymity even when facing types of active and passive attacks. Finally, the operating cost of CAT is analyzed and shown to be similar to other node-based anonymous communication protocols.