+5

Apply preempt.

Im using preempt, both groups are working.

But this is a VPN GW, so the INTERNAL and EXTERNAL HSRP Groups needs to stay on the same router.

How can I achieve that ? Is there a way to combine two HSRP groups ?

why would you have it that way is there a specific reason ? , if you need to fail between the routers just use one HSRP group and track and upstream route with ip sla so it fails over on its internal interfaces , why would you fail the public addresses ?

you cant bridge two interfaces on same router through HSRP , You can have multiple groups under same interface but subnet needs to be split

sorry just came back to this topic.

It seems that I can track interfaces, but not an HSRP IP.

>why would you have it that way is there a specific reason ?

I dont know a better way to design it. Ive used Cisco ASA as VPN Gateways till now, but now there are to many VPNs so we decided to buy routers for this.

Now I have a pair of ASR1001 and cant get a reliable setup ;)

For my VPN Peers I need a HSRP IP to connect my system (GRP1) and I need to route the traffic internal to the VPN GW HSRP IP (GRP2).

So I need to find a way that both Groups are always active on the same system

Could you use GLBP active/active instead of HSRP active standby if you need both active

Oh, you're concerned about a failure on inside or outside would cause one side of HSRP to migrate, but not the other?  If so, that's what the tracking options are used for.  You can track a local device interface or you can track, with SLA (as Mark also noted), some other IP's reachability, to change priorities and this should allow the internal and external HSRPs to stay on the same router.