I use controllers for IPSEC mostly. When using master redundancy I setup VRRP on outside (where IPSEC is coming from untrusted) and inside (where IPSEC is going or trusted). I set the pre-empt for zero.
vrrp 1
vlan 499
ip address 172.22.201.1 255.255.255.0
priority 255
preempt
authentication password
description Preferred-Master-Outside
tracking interface gigabitethernet 0/0/2 sub 3
In my case if the outside interface is down, I need the inside to go down just as fast. That way return traffic can return immediately instead of waiting. Hence I subtract three from the inside. I always set priority for the preferred-master as 255 and the secondary as 254.