In a high-availability setup, the firewall pair is supposed to behave like a well-drilled handoff: if the primary device fails, the standby unit should take over immediately so the network keeps running. On Huawei USG6000V firewalls, VRRP is one of the basic ways to build that kind of redundancy.
But there is a problem that trips up many beginners during lab work. You configure the two devices, run a status check, and discover that both firewalls are sitting in the Backup state. Neither one becomes Master, which means the failover setup never really comes alive.
The reason is usually not a typo in the VRRP commands. On Huawei firewalls, HRP is enabled by default, and that changes the behavior. If you are only trying to build a simple VRRP test environment, HRP can get in the way of the normal master election process. The fix is straightforward: disable HRP first, then configure VRRP.
Basic topology and role assignment
A simple lab topology is enough to demonstrate the setup:
- FW1: interface IP
192.168.1.2, intended to become the Master - FW2: interface IP
192.168.1.3, intended to remain the Backup - Virtual IP:
192.168.1.1
The virtual IP is the address used by internal clients. Regardless of which firewall is currently active, that address stays the same.
Why both devices show Backup
A common verification step is to run display vrrp after configuration. What confuses many new users is seeing the same result on both firewalls: State: Backup.
This happens because Huawei’s HRP (Hot Standby Redundancy Protocol) is enabled by default. HRP is designed for more advanced dual-device hot standby scenarios. It is useful in production environments, but in a basic VRRP lab it can effectively take over the redundancy logic and prevent VRRP from electing a proper master.
So before you configure VRRP on a USG6000V, disable HRP on both devices.
Step 1: Disable HRP on both firewalls
This is the key step. Without it, the rest of the VRRP configuration may look correct while the state remains wrong.
# 进入系统视图(按回车就行)
<FW1> system-view
# 关闭HRP功能
[FW1] undo hrp enable
# FW2上也要做同样的操作
<FW2> system-view
[FW2] undo hrp enable
Step 2: Configure FW1 as the active device
Now configure the interface on FW1 and explicitly make it the active member of the VRRP group.
# 进入接口视图
[FW1] interface GigabitEthernet 1/0/0
# 配置接口IP地址
[FW1-GigabitEthernet1/0/0] ip address 192.168.1.2 255.255.255.0
# 配置VRRP,VRID设为1,虚拟IP是192.168.1.1,最后的active表示“我是主用”
[FW1-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 192.168.1.1 255.255.255.0 active
# 配置完毕,退出接口
[FW1-GigabitEthernet1/0/0] quit
Here, the interface address is 192.168.1.2/24, the VRRP group ID is 1, and the virtual IP is 192.168.1.1. The important keyword is active, which tells FW1 to take the primary role.
Step 3: Configure FW2 as the standby device
FW2 is configured almost the same way. The main difference is the final keyword, which defines it as the standby member.
# 进入接口视图
[FW2] interface GigabitEthernet 1/0/0
# 配置接口IP地址
[FW2-GigabitEthernet1/0/0] ip address 192.168.1.3 255.255.255.0
# 配置VRRP,注意最后的关键字是standby(备用)
[FW2-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 192.168.1.1 255.255.255.0 standby
# 配置完毕,退出接口
[FW2-GigabitEthernet1/0/0] quit
This places FW2 on 192.168.1.3/24 in the same VRRP group, using the same virtual IP, but with the standby role.
How to verify the result
Once both firewalls are configured, run display vrrp to confirm the state of each device.
What you should see:
- On FW1, the state should be Master
- On FW2, the state should be Backup
If the output looks like that, the configuration is working as expected. FW1 is currently holding the virtual IP 192.168.1.1, while FW2 is waiting to take over if the primary firewall fails.
In practice, that means if FW1 loses power or goes down unexpectedly, FW2 can assume the virtual IP automatically in milliseconds, so users on the internal network will notice little or no interruption.
One more thing worth knowing
Disabling HRP is the right move for this kind of basic VRRP exercise, but that does not mean HRP is unimportant. In real enterprise deployments, HRP is often enabled because it supports more advanced dual-firewall hot standby behavior.
The key advantage is that it does more than move an IP address between devices. It can also synchronize session tables, which helps preserve ongoing traffic during a failover event.
So if your goal is simply to learn VRRP on the USG6000V, start by turning HRP off and getting the master/backup logic working correctly. Once that foundation is clear, the next step is to study HRP-based high availability in a more complete production-style design.