There could be session which will be showing as "SERVER_LISTEN " . However the flow dump would show the actual traffic is dropped due to "intfrcv_tup_firewall".

ALL SD_WAN Velocloud versions

This could be due to incorrect TCP handshakes happening in network or abrupt application layer closures. Below is one example where Ack and reset ack were sent but Syn was seen from peer. In such scenario's we could see in firewall dump for these session as "server_listen" state.

Flow would be dropped with reason "intfrcv_tup_firewall"

debug.py --flow_dump all 31.13.82.8 all
FID       SECURE  SEGID  FDSN  MAX_RECV_FDSN  FDSN_READ  LAST_LATE_FDSN        SRC_IP     DEST_IP  SRC_PORT  DEST_PORT  PROTO  DSCP  PRIORITY   APPLICATION                    APP_CLASS   TRAFFIC-TYPE   ROUTE  ROUTE-POL  LINK-POL  BIZ-POL      NH-ID  LINK-ID          FLAGS1  VERSION    SRC            ADDR              SR              DR  FLOW AGE MS  IDLE TIME MS  CBH-FLOW  DROPS   LAST_DROPPED_REASON                                                  LAST_DROPPED_PATH  BIZ_POL_FIXUP
5653862        0      1    -1             -1         -1              -1  192.168.8.54 x.x.x.x     42940        443      6     0    normal  APP_TCP(205)  APP_CLASS_OTHER_TCP_UDP(21)  transactional  Routed        N/A       N/A           a2d375e3-      N/A  0x200002000001        0  local  0x7fcbaede8530  0x7fcc7033a500  0x7fcc70322b00       145293        145293         0      1  intfrcv_tup_firewall  47:pkt_path_ipvx_fwd_via_netsched 2 10 25 26 33 38 47 51 52 59 87  

The behavior is expected since firewall would expect a proper 3way handshakes.