why would i see traffic on a standby HA PA2020?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

why would i see traffic on a standby HA PA2020?

L1 Bithead


We've just had a couple of PA2020s installed in an Active-Passive HA configuration, running v3.1.7, and I'm trying to diagnose an FTP problem which may or may not be related to the installation. One thing I have discovered is that we're seeing a small amount of traffic (probably less than 1% of the total) on our standby PA2020, but just from a few specific sources. It is all marked as ‘deny’ traffic, which I guess you’d expect on a standby unit.

We’ve cleared the dynamic arp entries (using clear mac-address-table dynamic ) on our Cisco catalyst switch stack - both PA2020s go into our core stack (into ports in different switches) - which is logically a single switch.

Can anyone explain why we’re seeing any traffic at all on the standby PA? Is there a setting for the ports which we should be using on the switch port(s) to make it ‘HA-friendly’.




L4 Transporter

Hi Matt,

What type of traffic is being denied?  Is it normal network traffic or could it be BPDU's from the switch trying to do STP?  Best practice is to enable portfast on the switch ports connected to the firewall.

The following command may provide more insight on to the type of packets being dropped:

show counter global filter severity drop delta yes

Run this command every few seconds for a few times to see which drop counters are incrementing.




I've checked through and what we're seeing is almost exclusively FTP traffic being logged on the standby firewall. Is there something special about the way FTP would be handled by our switches?! (I'm seeing this on both of the interfaces which have automated ftp client activity.) At first I thought this was an ARP issue, but arp tables were cleared several times, and the FTPing systems have been rebooted several times too.

We were concerned about denied FTP packets, so we've now set the Passive Link State to 'Shutdown', so this means that I can't monitor for further misdirected packes on the HA peer just at the moment.

I can confirm that 'spanning tree portfast' is set on the switch ports we are connecting to our PA2020s, so the denied FTP packets remain a mystery :smileyconfused:


Not sure what could be causing this.  It might be a good idea to open a Support case, but I don't see any reason why the Palo Alto firewall would be causing this.  My hunch is something upstream.




there is a known issue on the HA feature. We have the same issue. At the moment, it's not fixed with release3.1.7


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!