https://live.paloaltonetworks.com/t5/general-topics/traffic-logged-in-an-interface-in-down-state/m-p/22812#M16673 <HTML><HEAD></HEAD><BODY><P>These are most probably sessions which were started before the interface was shutdown. They stay in the session table until they idle out and then produce the session end log entry.</P></BODY></HTML> Wed, 18 Sep 2013 11:56:56 GMT Anon1 2013-09-18T11:56:56Z https://live.paloaltonetworks.com/t5/general-topics/traffic-logged-in-an-interface-in-down-state/m-p/22811#M16672 <HTML><HEAD></HEAD><BODY><P>This is our scenario:</P><P>- A PA-200 with a subinterface tagged with VLAN ID 200.</P><P>- Connected to a Cisco Catalyst switch (trunk with VLAN ID 200 allowed).</P><P>- It has been working without problems.</P><P></P><P>Now, we want to divert traffic to a Cisco router with same IP address as PA-200.</P><P>We put Catalyst interface in shutdown state (where PA-200 is connected) at 10.52h.</P><P>- We can see interface in "down" state (red) in PA-200.</P><P>- We cannot ping this interface IP.</P><P>- There's no other interface in this security zone.</P><P></P><P>But, traffic log is showing that there's some traffic in this interface. How is it possible?</P><P></P><P>I attach some pictures.</P><P></P><P>Thank for your answers!</P><P><IMG alt="2013-09-18_13h08_22.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8454_2013-09-18_13h08_22.png" style="width: 620px; height: 160px;" /></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"> </SPAN></P><P><IMG alt="2013-09-18_13h12_02.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8455_2013-09-18_13h12_02.png" style="font-size: 10pt; line-height: 1.5em; width: 620px; height: 212px;" /><IMG alt="2013-09-18_13h13_14.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/8456_2013-09-18_13h13_14.png" style="font-size: 10pt; line-height: 1.5em; width: 620px; height: 432px;" /></P></BODY></HTML> Wed, 18 Sep 2013 11:16:41 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-logged-in-an-interface-in-down-state/m-p/22811#M16672 dept_tec_bcn 2013-09-18T11:16:41Z https://live.paloaltonetworks.com/t5/general-topics/traffic-logged-in-an-interface-in-down-state/m-p/22812#M16673 <HTML><HEAD></HEAD><BODY><P>These are most probably sessions which were started before the interface was shutdown. They stay in the session table until they idle out and then produce the session end log entry.</P></BODY></HTML> Wed, 18 Sep 2013 11:56:56 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-logged-in-an-interface-in-down-state/m-p/22812#M16673 Anon1 2013-09-18T11:56:56Z https://live.paloaltonetworks.com/t5/general-topics/traffic-logged-in-an-interface-in-down-state/m-p/22813#M16674 <HTML><HEAD></HEAD><BODY><P>As you can see from the log details, the session start time was at 10:42 and you have the log option set to log at session end (Type: end), log generated time: 12:09. So as pointed out by Anon, these might be the old sessions which timed out much later and a log was generated at session end.</P><P></P><P>Thanks,</P><P>Aditi</P></BODY></HTML> Wed, 18 Sep 2013 15:37:26 GMT https://live.paloaltonetworks.com/t5/general-topics/traffic-logged-in-an-interface-in-down-state/m-p/22813#M16674 apasupulati 2013-09-18T15:37:26Z