diff --git a/changes/bug40805 b/changes/bug40805
new file mode 100644
index 0000000000..bed27c5e43
--- /dev/null
+++ b/changes/bug40805
@@ -0,0 +1,7 @@
+  o Major bugfixes (vanguards):
+    - Rotate to a new L2 vanguard whenever an existing one loses the
+      Stable or Fast flag. Previously, we would leave these relays in the
+      L2 vanguard list but never use them, and if all of our vanguards
+      end up like this we wouldn't have any middle nodes left to choose
+      from so we would fail to make onion-related circuits. Fixes bug
+      40805; bugfix on 0.4.7.1-alpha.
diff --git a/src/feature/client/entrynodes.c b/src/feature/client/entrynodes.c
index 4783faf9dd..e5c89645f6 100644
--- a/src/feature/client/entrynodes.c
+++ b/src/feature/client/entrynodes.c
@@ -151,6 +151,7 @@
 #include "feature/nodelist/node_st.h"
 #include "core/or/origin_circuit_st.h"
 #include "app/config/or_state_st.h"
+#include "src/feature/nodelist/routerstatus_st.h"
 
 #include "core/or/conflux_util.h"
 
@@ -4143,8 +4144,10 @@ maintain_layer2_guards(void)
     }
 
     /* Expire if relay has left consensus */
-    if (router_get_consensus_status_by_id(g->identity) == NULL) {
-      log_info(LD_GENERAL, "Removing missing Layer2 guard %s",
+    const routerstatus_t *rs = router_get_consensus_status_by_id(g->identity);
+    if (rs == NULL || !rs->is_stable || !rs->is_fast) {
+      log_info(LD_GENERAL, "Removing %s Layer2 guard %s",
+               rs ? "unsuitable" : "missing",
                safe_str_client(hex_str(g->identity, DIGEST_LEN)));
       // Nickname may be gone from consensus and doesn't matter anyway
       control_event_guard("None", g->identity, "BAD_L2");