Showing results for 
Search instead for 
Did you mean: 
Cisco Community November 2020 Spotlight Award Winners

IPSec SAs never come up when the HSRP pair is forced to failover on a Cisco router




This document describes a scenario where user is facing issue involving IPSec SA's and HSRP.


What is HSRP?

HSRP stands for Hot Standby Router Protocol. It is a Cisco proprietary protocol which is used for implementing redundancy. Efficency is nearly 100 percent availability and redundancy of router. So, if the primary router goes down, the backup router will take over the routing functions running in primary router.


If user is not using Cisco devices then there are other industry protocols which are supported by Cisco. Industry standards are mentioned below:

  • Virtual Router Redundancy Protocol (VRRP)
  • Gateway Load Balancing Protocol (GLBP){Cisco proprietary} an alternative for HSRP


How does HSRP work?

HSRP defines that a routers can be primary or standby when HSRP is configured and running. For eg:


We have 2 routers R1(Primary) and R2(Secondary) If R1 fails to send HELLO packet to R2 for a defined duration of time, R2 will assume that R1 is down and change over takes place. R2 will make use of the virtual IP address and responds to a virtual Ethernet MAC address which is assigned a virtual IP..


R1 & R2 routers keep exchanging HSRP HELLO packets with each other which ensures both router are working and in sync. HELLO packets are multicasted using IP and UDP port 1985. IOS 10.0 supports HSRP, but IOS version 11 and 12 provides the updated release of HSRP.


Note: For implementing router redundancy, user is not limited to only 2 routers. In fact, user can create a group of routers working together and have multiple "standby" routers

Core issue

Crypto maps get disabled when changes are made to the Hot Standby Router Protocol (HSRP) configuration on the router.



Try to manually clear the IPSec Security Associations (SAs) on the primary router. If that does not help, remove the crypto maps from the interfaces where HSRP is defined, and re-apply them.

When you change HSRP configuration with crypto maps applied, re-apply the crypto maps after the changes.


For more information, refer to the Configuring HSRP with IPSec section of IPSec VPN High Availability Enhancements.


Problem Type

Connectivity to the device

Troubleshoot software feature

Product Family




Does not start





Cisco IOS Software Version




VPN Tunnel End Points



Selected PIX or Router Commands



VPN Protocols



VPN Tunnel Initialization

IPSec session is not established

Content for Community-Ad