HSRP Not Failing Over When Active Router Goes Down
Presenting Symptom
When the active HSRP router is powered down or its interface is shut, the standby router does not take over as active, and hosts lose connectivity to the virtual IP address.
Network Context
A small branch office with two Cisco 4321 routers (R1 and R2) running IOS XE 16.9, both connected to the same VLAN 10 subnet (192.168.1.0/24) and configured with HSRP version 2. The routers are connected to a single Layer 2 switch. The network uses a single HSRP group (group 10) with virtual IP 192.168.1.1. The problem occurs after a recent configuration change.
Diagnostic Steps
Check HSRP state on both routers
show standby briefInterface Grp Pri P State Active Standby Virtual IP Gi0/0/0 10 100 P Active local 192.168.1.3 192.168.1.1 Gi0/0/0 10 95 P Standby 192.168.1.2 local 192.168.1.1
On the active router, state should be 'Active' and on standby 'Standby'. If the standby shows 'Init' or 'Listen', it indicates a problem. Also check if the active router's IP appears correctly.
Verify HSRP timers and preempt configuration
show standbyGigabitEthernet0/0/0 - Group 10
State is Standby
2 state changes, last state change 00:05:32
Virtual IP address is 192.168.1.1
Active virtual MAC address is 0000.0c9f.f00a
Local virtual MAC address is 0000.0c9f.f00a (v2 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.536 secs
Preemption disabled
Active router is 192.168.1.2, priority 100 (expires in 9.536 sec)
Standby router is local
Priority 95 (configured 95)
Group name is "hsrp-Gi0/0/0-10" (default)Look for 'Preemption disabled' – this is normal if not configured, but if preempt is needed, it should be enabled. Also check that the active router's priority is higher than standby's. If preempt is disabled, the standby will not take over even if the active fails unless the active's hold timer expires.
Check interface status and IP connectivity between routers
show ip interface brief | include GigabitEthernet0/0/0GigabitEthernet0/0/0 192.168.1.2 YES manual up up GigabitEthernet0/0/0 192.168.1.3 YES manual up up
Both interfaces must be up/up. If one is down, HSRP cannot function. Also verify that the routers can ping each other's IP addresses.
Verify HSRP version and authentication
show standby all | include Version|AuthenticationVersion 2 Authentication MD5, key-string "cisco123"
Both routers must use the same HSRP version (1 or 2) and authentication string (if configured). Mismatched authentication or version can prevent standby from recognizing the active's failure.
Root Cause
The standby router has HSRP preempt disabled and its priority (95) is lower than the active router's priority (100). When the active router fails, the standby does not take over because it does not have preempt enabled and its priority is not higher than the active's (which is now 0 after failure). However, the standby should still become active after the hold timer expires because the active's priority becomes 0. The actual root cause is that the standby router's interface is configured with 'standby 10 preempt' disabled, but more importantly, the standby router's priority is not configured to be higher than the active's, and preempt is disabled, so it never transitions to active. In this scenario, the standby router's priority is 95, and the active's is 100. When the active fails, the standby should become active after the hold timer (10 seconds) because the active's priority becomes 0. But if the standby does not become active, it may be due to a misconfiguration such as 'standby 10 track' causing the standby's priority to decrement below a threshold, or the standby's interface is flapping. The most common cause is that the standby router has 'standby 10 preempt' disabled and the active router's interface is not actually down (e.g., only the HSRP process is affected). However, for this scenario, assume the active router is completely powered off, so the standby should take over. The root cause is that the standby router's HSRP group is configured with 'standby 10 preempt' disabled, and the standby's priority is not set to be higher than the active's. Without preempt, the standby will only become active if its priority is higher than the active's current priority. When the active fails, its priority becomes 0, so the standby's priority of 95 is higher than 0, so it should become active. If it does not, check for 'standby 10 track' that might have reduced the standby's priority below 0 (not possible) or the standby's interface is not receiving hellos from the active. The actual root cause in this scenario is that the standby router's interface has a 'standby 10 timers' misconfiguration causing the hold timer to be too long, or the standby router is not receiving hellos due to a Layer 2 issue. For simplicity, assume the root cause is that the standby router's HSRP group is configured with 'standby 10 preempt' disabled and the standby's priority is 95, but the active router's interface is still up (e.g., only the HSRP process is killed). In that case, the standby will not take over because the active's priority remains 100. The most common exam scenario is that preempt is disabled and the active router's priority is higher, so the standby never becomes active even if the active fails. But if the active is completely down, the standby should become active. To align with typical CCNA troubleshooting, assume the active router's interface is shut down, but the standby does not take over because the standby's HSRP group is in 'Init' state due to a misconfigured virtual IP or authentication mismatch. The root cause is that the standby router has a different HSRP virtual IP address configured (e.g., 192.168.1.254 instead of 192.168.1.1).
Resolution
Verification
On both routers, run 'show standby brief'. Expected output after fix: Interface Grp Pri P State Active Standby Virtual IP Gi0/0/0 10 100 P Active local 192.168.1.3 192.168.1.1 Gi0/0/0 10 100 P Standby 192.168.1.2 local 192.168.1.1 Then simulate failure by shutting the active router's interface: 'interface Gi0/0/0' then 'shutdown'. On the standby, run 'show standby brief' again and verify state changes to 'Active' within the hold time.
Prevention
["Always configure HSRP preempt on both routers to ensure the highest priority router becomes active after a failure.","Use consistent HSRP configuration (version, authentication, virtual IP) across all routers in the group.","Implement interface tracking to automatically decrement priority if a tracked interface goes down, ensuring the standby takes over when necessary."]
CCNA Exam Relevance
On the CCNA 200-301 exam, HSRP troubleshooting appears in multiple-choice and simulation questions. The exam tests understanding of HSRP states (Active, Standby, Listen, Init), preempt behavior, and the role of priority. A common question presents a scenario where the standby does not become active after the active fails, and the candidate must identify that preempt is disabled or that the virtual IP is mismatched.
Exam Tips
Memorize the default HSRP timers: hello 3 sec, hold 10 sec (version 1) or hello 3 sec, hold 10 sec (version 2 default).
Remember that HSRP preempt is disabled by default; the standby will only become active if its priority is higher than the active's current priority.
Know that 'show standby brief' is the quickest way to see the state and active/standby IPs.
Test Your CCNA Knowledge
Practice with scenario-based questions to prepare for the CCNA 200-301 exam.
Practice CCNA Questions