Why active-secondary firewall specific dataplane core usage is increased, under a situation that packets only go through active-primary firewall and there is no asymmetric packet?

• Active-Active(active-primary is PA-1420-1 and active-secondary is PA-1420-2).
• Session Owner Selection : first-packet
• Session Setup : first-packet
• Packets only go through active-primary firewall and there are no asymmetric packets.
• But the active-secondary firewall specific dataplane core(core4) usage is increased to 50%.

Question: Why is the active-secondary firewall CPU high when it is not  forwarding the traffic.?

• Palo Alto Firewalls
• Supported PAN-OS
• High Availability Active/Active Setup
• Active Primary is forwarding all the traffic.

• The reason why dataplane CPU of PA-1420-2 was increased due to session sync over HA2.
• • Even though packets only go through 1420-1 and 1420-1 is handling packet, session should be sync to 1420-2.
  • These session sync message is HA2 message.(There are 3 x HA link. HA1, HA2, HA3).
  • 1420-2 dataplane was busy on handling HA2 messages.
  • This can be verified in the global counters

PA-1420-2(active-secondary) global counter indicated that "pkt_recv" equal to "ha_msg_recv". It indicated that there was lots of HA2 session sync. HA-2 message was sent to core4 only.

{noformat}
[2024-12-24 11:06:00.769] admin@PA-1420-2(active-secondary)> show counter global filter delta yes
[2024-12-24 11:06:00.774]
[2024-12-24 11:06:00.840] Global counters:
[2024-12-24 11:06:00.840] Elapsed time since last sampling: 5.19 seconds
[2024-12-24 11:06:00.840]
[2024-12-24 11:06:00.840] name value rate severity category aspect description
[2024-12-24 11:06:00.840] --------------------------------------------------------------------------------
[2024-12-24 11:06:00.840] pkt_recv 1244075 247873 info packet pktproc Packets received >>>>>>
---snip---
[2024-12-24 11:06:00.885] ha_msg_sent 40 7 info ha system HA: messages sent
[2024-12-24 11:06:00.885] ha_msg_recv 1243984 247854 info ha system HA: messages received >>>>>>>>>>
---snip--
[2024-12-24 11:06:01.441] CPU load (%) during last 2 seconds:
[2024-12-24 11:06:01.441] core 0 1 2 3 4 5 6 7 8 9 10 11
[2024-12-24 11:06:01.441] * 6 5 5 49 4 4 5 5 4 * *
[2024-12-24 11:06:01.441] * 5 5 5 49 4 4 5 5 4 * *
{noformat}

• The reason why only specific core(core4) usage was increased among multiple cores depend on transport mode for HA2. 
  • When using HSCI interface as HA2 link and transport mode is ethernet. We have limitation that in case HA2 link transport ethernet, this can not be hashed to different cores. 
  • To distribute HA2 messages across multiple cores, one need to change HA2 transport mode to udp. 

The behavior is as expected.