When HSRP elects the wrong active router, traffic that should traverse a high-availability path gets blackholed or suboptimally routed, breaking your redundancy design. This topic is critical for the CCNA 200-301 exam (objective 3.8) and for real-world network engineering because HSRP mis-elections are a common source of outages that are difficult to debug without a systematic approach. Mastering the troubleshooting of HSRP active router issues will save you hours of finger-pointing in production networks.
Jump to a section
Imagine a concert with two bandleaders, Alice and Bob, who share a single conductor's baton. The baton represents the active role—whoever holds it leads the orchestra. They use a simple rule: every 3 seconds, the current leader taps the music stand (Hello message). If the stand isn't tapped for 10 seconds, the other bandleader assumes the leader has collapsed and grabs the baton. Now, suppose Alice has a louder voice (higher priority) and should always lead. But if Bob's hearing is bad (misconfigured preempt) or Alice's tapping is muffled (Hello dropped), Bob might grab the baton incorrectly. The band plays off-key (traffic flows wrong) until someone fixes the misconfiguration. In HSRP, the baton is the virtual IP, priority determines who should lead, preempt ensures the rightful leader retakes control, and Hello/Dead timers govern the handoff. If preempt is missing on Alice, even if she comes back with higher priority, Bob keeps leading. If timers are mismatched, Bob might declare Alice dead prematurely. Troubleshooting means checking who holds the baton (show standby), verifying priority and preempt, and ensuring timers are consistent.
What is HSRP and Why Does It Matter?
Hot Standby Router Protocol (HSRP) is a Cisco proprietary First Hop Redundancy Protocol (FHRP) that allows two or more routers to share a virtual IP and MAC address, providing default gateway redundancy. In a typical LAN, hosts are configured with a default gateway pointing to a single router. If that router fails, hosts lose connectivity. HSRP solves this by electing one router as the Active (forwarding traffic) and another as Standby (ready to take over). The virtual IP (VIP) is the gateway address; hosts send traffic to the VIP, and the Active router responds to ARP requests with the virtual MAC (0000.0c07.acXX, where XX is the group number).
On the CCNA 200-301, HSRP troubleshooting is tested under objective 3.8, which covers FHRP operations and common issues. You must be able to identify why a router with higher priority is not Active, why the Active router is unexpected, or why failover doesn't happen. Real-world scenarios include asymmetric routing, suboptimal path selection, and complete loss of connectivity due to a wrong Active router.
How HSRP Election Works Step by Step
HSRP uses a priority-based election with optional preemption. The router with the highest priority (default 100, range 0-255) becomes the Active router. If priorities are equal, the router with the highest IP address on the interface wins. The election happens when the group is first formed or when the Active router fails.
Hello Protocol: Active and Standby routers send Hello messages every 3 seconds (default) to the multicast address 224.0.0.2 (all routers) using UDP port 1985. The Hello contains the router's priority, virtual IP, and state.
Hold Time: If the Standby router does not receive a Hello from the Active for 10 seconds (default), it declares the Active dead and transitions to Active itself. The Hold time is configurable and should be at least 3 times the Hello interval.
State Machine: HSRP has six states: Initial, Learn, Listen, Speak, Standby, Active. For troubleshooting, the key states are Active (forwarding traffic), Standby (ready to take over), and Listen (router knows VIP but is not participating in election).
Key Timers and Defaults
Hello timer: 3 seconds (configurable)
Hold timer: 10 seconds (configurable)
Priority: 100 (default), higher is better
Preempt: Disabled by default. If disabled, a router with higher priority coming online will NOT become Active unless the current Active fails. This is the #1 cause of "wrong Active router" scenarios.
Virtual MAC: 0000.0c07.acXX (XX = group number in hex)
Group number: 0-255, must match on all routers in the group
IOS CLI Verification Commands
The primary troubleshooting command is show standby. Example output:
Router# show standby
Vlan1 - Group 10
State is Active
2 state changes, last state change 00:01:23
Virtual IP address is 192.168.1.254
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.432 secs
Preemption enabled
Active router is local
Standby router is 192.168.1.2, priority 100 (expires in 8.256 sec)
Priority 150 (configured 150)
Group name "harpers" (v1)Key fields to examine: - State: Is the router Active or Standby? - Active router: Which IP is active? If it says "local", this router is Active. If it shows a different IP, that is the current Active. - Standby router: Should be the other router's IP; if "unknown", there is a communication issue. - Priority: Does the Active have the highest priority? If not, preempt is likely disabled. - Preemption: Is it enabled? If disabled, the Active may be a lower-priority router that won. - Hello/Hold timers: Should match on both routers.
Other useful commands:
- show standby brief – quick summary of all groups
- debug standby – use with caution, shows HSRP packet exchange
- show running-config | section interface – verify configuration
How HSRP Interacts with Other Protocols
HSRP works at Layer 2/3. It does not affect routing protocols; it only provides a virtual gateway. However, if the wrong router becomes Active, traffic may take a suboptimal path (e.g., going through a slow link) because the Active router's routing table may not have the best path. HSRP can also interact with STP: if the Active router is on a blocked port, traffic will be dropped. Additionally, HSRP uses the virtual MAC, so ARP tables on hosts point to that MAC. If the Active changes, the new Active sends a gratuitous ARP to update the switch CAM table.
For the exam, remember that HSRP is Cisco proprietary; VRRP is the open standard; GLBP provides load balancing. HSRP version 1 and 2 differ in group numbers and multicast address (224.0.0.2 vs 224.0.0.102).
Identify the wrong Active router
Use `show standby` on both routers to determine which router is currently Active. Compare the Active router IP to the expected router (the one with higher priority or desired role). If the wrong router is Active, note its priority and check if preempt is enabled. For example, if Router A has priority 150 and is Standby, while Router B with priority 100 is Active, the issue is likely that preempt is disabled on Router A. Document the output for later comparison.
Verify priority and preempt configuration
Examine the running configuration on both routers for the HSRP group. Use `show running-config interface <interface>` or `show standby`. Look for the `standby <group> priority <value>` and `standby <group> preempt` commands. If the higher-priority router does not have `preempt`, it will not take over from a lower-priority Active. Also check for `standby <group> track` commands that might dynamically lower priority, causing unexpected behavior. For example: `standby 10 track GigabitEthernet0/1 30` would reduce priority by 30 if that interface goes down.
Check timers consistency
HSRP Hello and Hold timers must match on both routers for proper operation. Use `show standby` to see the timers. If they differ, the Hold timer on the Standby may expire prematurely, causing a failover. For example, if Router A has Hello 3 sec / Hold 10 sec, and Router B has Hello 5 sec / Hold 15 sec, Router A might declare Router B dead after 10 seconds of no Hello, even though Router B is still alive (its Hello interval is 5 sec). Use `standby <group> timers <hello> <hold>` to configure them identically.
Verify IP addressing and VLAN membership
Ensure both routers are in the same VLAN/subnet and have IP connectivity to each other. Use `ping` from one router's interface IP to the other's interface IP. If they cannot ping, HSRP Hellos will not be exchanged, and both routers may become Active (dual Active scenario). Also verify that the virtual IP is configured correctly and is on the same subnet as the interface IP. Use `show ip interface brief` to confirm interface status. Check that the switch ports connecting the routers are in the same VLAN and not blocked by STP.
Examine for dual Active scenario
If both routers show as Active (state Active), this is a serious problem. Use `show standby` on each – if they both list themselves as Active and the other as unknown or standby with expired hold, it means they cannot hear each other's Hellos. This could be due to a Layer 2 issue (e.g., switch port blocking, VLAN mismatch, or access-list filtering HSRP multicast). Check `show standby` for the Standby router field – if it says "unknown", the router is not receiving Hellos. Verify multicast traffic: HSRP uses 224.0.0.2 (v1) or 224.0.0.102 (v2). Ensure no ACL is blocking this traffic.
Review interface tracking and object tracking
Interface tracking can lower priority when an uplink fails, causing the other router to become Active. Use `show standby` to see if the priority is decremented. For example, if Router A has priority 150 but tracking reduces it to 120, Router B with priority 130 might become Active. Check the tracked objects with `show track`. Also verify that the tracked interface is correctly configured: `standby 10 track GigabitEthernet0/1 30`. If the tracked interface is down, the priority is reduced. This is often a desired behavior but can cause confusion if not documented.
Verify version and authentication
HSRP version 1 and version 2 are incompatible. Use `show standby` to see the version (v1 or v2). If one router runs v1 and the other v2, they will not form adjacency. Also check for authentication: `standby <group> authentication <string>`. If authentication is configured on one router but not the other, or the strings differ, Hellos will be ignored. Use `debug standby` (with caution) to see if packets are being dropped due to authentication mismatch. Remember that HSRP authentication is plaintext; it's not a security feature but can prevent misconfigurations.
In a typical enterprise campus network, HSRP is deployed on distribution layer switches (acting as Layer 3) to provide gateway redundancy for access layer VLANs. For example, a building has two distribution switches (Dist-A and Dist-B) each connected to the core. VLAN 10 users have virtual gateway 10.1.10.1. Dist-A is preferred with priority 150 and preempt enabled, so it is normally Active. If Dist-A loses its uplink to the core, interface tracking reduces its priority, and Dist-B takes over, maintaining connectivity.
A common misconfiguration occurs when a new switch is added to the stack without preempt. Suppose Dist-A is replaced, and the new switch has priority 150 but preempt is missing from the config. Dist-B, with priority 100, remains Active even though Dist-A is perfectly healthy. Traffic from VLAN 10 now flows through Dist-B, which may have a slower uplink or different routing policy, causing asymmetric routing and potential performance issues. The network engineer might not notice until they run show standby during a maintenance window.
Another scenario is when HSRP timers are changed for faster failover but not applied consistently. An engineer sets Hello to 1 second and Hold to 3 seconds on one router to speed up convergence, but forgets to update the peer. The peer still uses default 3/10. The router with faster timers may declare the other dead prematurely if a single Hello is lost, causing unnecessary flapping. This can lead to intermittent outages as the Active role bounces back and forth.
Scale considerations: HSRP groups are limited to 255 per interface (v1) or 4096 (v2). In large campus networks with hundreds of VLANs, it's common to use multiple HSRP groups to load-balance traffic across distribution switches (e.g., odd VLANs Active on Dist-A, even on Dist-B). This requires careful planning of priority and preempt.
When HSRP is misconfigured, the impact can be severe: hosts may lose default gateway connectivity if both routers become Standby (no Active), or traffic may be blackholed if the Active router has no path to the destination. The most common symptom users report is "intermittent connectivity" or "slow internet" – actually traffic going through a suboptimal path.
The CCNA 200-301 exam objective 3.8 specifically tests your ability to troubleshoot FHRP issues, including HSRP, VRRP, and GLBP. For HSRP, the most common exam question presents a scenario where a router with higher priority is not Active, and you must identify the cause. The top three wrong answers candidates choose are:
"The router with higher priority is down." – This is often not the case. The candidate assumes the router is offline, but the question usually states both routers are up. The real issue is preempt disabled.
"The Hello timer is too low." – While timer mismatch can cause issues, the classic scenario is a router with higher priority joining later and not taking over because preempt is off. Candidates confuse timer issues with preempt.
"The virtual IP is misconfigured." – If the virtual IP were wrong, HSRP wouldn't form at all. The question typically shows that both routers have the same VIP, so this is a distractor.
Key values to memorize: - Default priority: 100 - Default Hello: 3 seconds - Default Hold: 10 seconds - Preempt: disabled by default - Virtual MAC base: 0000.0c07.acXX (v1) - HSRP v1 multicast: 224.0.0.2 - HSRP v2 multicast: 224.0.0.102 - UDP port: 1985
Calculation traps: The exam may ask about interface tracking: if priority is 150 and track decrement 30, and the tracked interface goes down, the effective priority becomes 120. If the other router has priority 130, it will become Active (if preempt is enabled). Candidates sometimes forget to subtract the decrement.
Decision rule for scenario questions: 1. Check which router is Active vs Standby. 2. Compare priorities – if higher-priority router is not Active, preempt is likely disabled. 3. If both are Active, there's a Layer 2/multicast issue. 4. If Active flips back and forth, check timer mismatch or tracking flap.
Eliminate options that suggest IP address mismatch or interface shutdown unless explicitly stated. Focus on preempt and timers.
HSRP default priority is 100; higher priority wins election.
Preempt is disabled by default – the most common reason for a wrong Active router.
Default Hello timer is 3 seconds; Hold timer is 10 seconds.
HSRP v1 uses multicast 224.0.0.2; v2 uses 224.0.0.102.
Virtual MAC for HSRP v1 is 0000.0c07.acXX (XX = group in hex).
Use 'show standby' to verify state, priority, preempt, and timers.
Interface tracking reduces priority when a tracked interface goes down.
These come up on the exam all the time. Here's how to tell them apart.
HSRP (Cisco proprietary)
Cisco proprietary
Active/Standby model (only one forwarding)
Virtual MAC: 0000.0c07.acXX
Default Hello 3 sec, Hold 10 sec
Preempt disabled by default
Uses UDP port 1985
VRRP (Open standard RFC 3768)
Open standard (RFC 3768)
Master/Backup model (only one forwarding)
Virtual MAC: 0000.5e00.01XX
Default advert interval 1 sec (Master Down interval 3 sec)
Preempt enabled by default
Uses IP protocol 112
Mistake
A router with higher priority always becomes Active immediately.
Correct
HSRP does not preempt by default. The router with higher priority will only become Active if preempt is enabled on that router. Without preempt, the current Active remains Active until it fails.
Many assume 'higher priority wins' means immediate takeover, but preempt is needed for that behavior.
Mistake
HSRP timers must be the same on both routers.
Correct
Timers should be configured identically to avoid premature failover. However, HSRP does not enforce matching timers; mismatched timers can cause the router with shorter Hold to declare the other dead.
Candidates think timers are negotiated, but they are locally configured and must be manually matched.
Mistake
If the Active router fails, the Standby router becomes Active immediately.
Correct
The Standby router waits for the Hold timer (default 10 seconds) without receiving a Hello before transitioning to Active. This introduces a delay.
People expect instant failover, but there is a timer-based detection.
Mistake
HSRP uses the virtual IP as the source IP for Hellos.
Correct
HSRP Hellos are sent from the router's physical interface IP (the IP configured on the interface), not the virtual IP. The virtual IP is only used as the default gateway address for hosts.
Candidates confuse the virtual IP with the source of protocol messages.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The most common reason is that preempt is disabled on the higher-priority router. HSRP does not automatically take over when a router with higher priority comes online; it only preempts if the 'preempt' keyword is configured. Check with 'show standby' to see if preempt is enabled. If not, add 'standby <group> preempt' to the configuration. Other possible causes: the higher-priority router may have its priority reduced by interface tracking, or it may not be receiving Hellos from the Active router due to Layer 2 issues.
This indicates a 'dual Active' scenario, which occurs when each router believes it is the Active because they are not receiving Hellos from each other. This can happen if there is a Layer 2 problem (e.g., VLAN mismatch, switch port blocked by STP, or an ACL blocking multicast traffic to 224.0.0.2). It can also happen if the HSRP version or authentication settings differ. Check connectivity between the routers and ensure they are in the same VLAN. Verify that the virtual IP is the same on both. This is a serious issue because both routers will respond to ARP requests for the virtual IP, causing traffic to be intermittently dropped.
To enable preempt, add the command 'standby <group> preempt' under the interface configuration. For example: 'interface GigabitEthernet0/1\n ip address 192.168.1.1 255.255.255.0\n standby 10 ip 192.168.1.254\n standby 10 priority 150\n standby 10 preempt'. Preempt allows a router with higher priority to take over the Active role from a lower-priority Active. Without it, the router will only become Active if the current Active fails. Preempt is disabled by default.
HSRP version 1 uses multicast address 224.0.0.2 and supports group numbers 0-255. It uses the virtual MAC 0000.0c07.acXX (XX is group in hex). HSRP version 2 uses multicast address 224.0.0.102 and supports group numbers 0-4095. It also uses a different virtual MAC format (0000.0c9f.fXXX, where XXX is group in hex). Version 2 also supports IPv6 and includes a 6-byte identifier field. The two versions are incompatible; all routers in the same group must use the same version. Use 'standby version 2' to enable version 2.
No, HSRP is designed for LAN environments where routers are on the same broadcast domain (Layer 2 segment). The routers must be directly connected via a switch or hub and share the same subnet. HSRP Hellos are multicast frames that do not cross Layer 3 boundaries. For WAN redundancy, use routing protocols like HSRP is not appropriate.
Interface tracking allows you to decrement the HSRP priority when a specified interface goes down. This is used to cause a failover to the standby router if the active router loses an uplink. For example, 'standby 10 track GigabitEthernet0/1 30' reduces the effective priority by 30 if G0/1 goes down. If the decremented priority falls below the standby router's priority (and preempt is enabled), the standby will become active. This ensures that traffic does not go through a router that has lost its upstream connectivity.
This command configures the virtual IP address that the HSRP group will use as the default gateway for hosts. The virtual IP must be on the same subnet as the interface IPs of the participating routers. It is the address that hosts will use as their default gateway. Both routers must have the same virtual IP configured. The command is 'standby <group> ip <virtual-ip>' under interface configuration mode.
You've just covered Troubleshoot: HSRP Active Router Wrong — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?