No Connectivity Shortly After Getting IP Address from DHCP Server
Resolution
Symptoms
Users on workstations that recently got an IP address from the DHCP server aren't able to use the internet. After a period of time, connectivity gets established and users can now access the internet
Issue
Palo Alto Networks firewalls can handle a fixed number of ARP entries in the table. Connections from workstations that cannot be added to the ARP table because the maximum has been reached will be dropped. As entries expire, those workstations will be added to the table and connectivity will be established.
Running the command show arp all confirms that the maximum number of ARP entries has been reached (as per below)
maximum of entries supported : 500
default timeout: 1800 seconds
total ARP entries in table : 500
total ARP entries shown : 500
Resolution
The first step towards fixing this issue is to clear the ARP table with the command clear arp all, and monitor the size of the ARP table. If it remains stable at a value lower than the maximum, the issue was related to invalid ARP entries in the firewall's table.
If after a period of time the number of entries reaches the maximum again, a few resolution options can be considered
- Add a router or routers to the topology. This will hide the MAC addresses of workstations behind that router and only require a single entry in the firewall's ARP table
- Upgrade the firewall platform for a model. More hardware resources allows the firewall to use more memory for the ARP table which in turn increases the number of entries that are kept in memory.
Here is a list of firewall models and the maximum number of ARP entries it can handle.
| Firewall Model | ARP Table Capacity | MAC Address Capacity |
|---|---|---|
| PA-200 & PA-500 | 500 | 500 |
| PA-2020 | 1,000 | 1,000 |
| PA-2050 | 2,500 | 2,500 |
| PA-4020 | 10,000 | 10,000 |
| PA-4050 & PA-4060 | 20,000 | 22,000 |
| PA-5020 | 20,000 | 20,000 |
| PA-5050 & PA-5060 | 32,000 | 32,000 |
owner: apasupulati