diff --git a/changelog/12339.txt b/changelog/12339.txt
new file mode 100644
index 0000000000000..b82044e124973
--- /dev/null
+++ b/changelog/12339.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core (enterprise): Only delete quotas on primary cluster.
+```
diff --git a/vault/auth.go b/vault/auth.go
index fc92f1300aef5..bb1d950a24f25 100644
--- a/vault/auth.go
+++ b/vault/auth.go
@@ -339,10 +339,12 @@ func (c *Core) disableCredentialInternal(ctx context.Context, path string, updat
 
 	removePathCheckers(c, entry, viewPath)
 
-	if c.quotaManager != nil {
-		if err := c.quotaManager.HandleBackendDisabling(ctx, ns.Path, path); err != nil {
-			c.logger.Error("failed to update quotas after disabling auth", "path", path, "error", err)
-			return err
+	if !c.IsPerfSecondary() {
+		if c.quotaManager != nil {
+			if err := c.quotaManager.HandleBackendDisabling(ctx, ns.Path, path); err != nil {
+				c.logger.Error("failed to update quotas after disabling auth", "path", path, "error", err)
+				return err
+			}
 		}
 	}
 
diff --git a/vault/quotas/quotas.go b/vault/quotas/quotas.go
index 68cc72f9f4297..99dc80e621d72 100644
--- a/vault/quotas/quotas.go
+++ b/vault/quotas/quotas.go
@@ -765,7 +765,7 @@ func (m *Manager) Invalidate(key string) {
 	default:
 		splitKeys := strings.Split(key, "/")
 		if len(splitKeys) != 2 {
-			m.logger.Error("incorrect key while invalidating quota rule")
+			m.logger.Error("incorrect key while invalidating quota rule", "key", key)
 			return
 		}
 		qType := splitKeys[0]
@@ -987,7 +987,8 @@ func (m *Manager) HandleRemount(ctx context.Context, nsPath, fromPath, toPath st
 }
 
 // HandleBackendDisabling updates the quota subsystem with the disabling of auth
-// or secret engine disabling.
+// or secret engine disabling. This should only be called on the primary cluster
+// node.
 func (m *Manager) HandleBackendDisabling(ctx context.Context, nsPath, mountPath string) error {
 	m.lock.Lock()
 	defer m.lock.Unlock()