PA500 arp cache limit reached - any ideas?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA500 arp cache limit reached - any ideas?

Not applicable


I have 2 PA500 firewalls running in a active/passive HA setup, the firewalls are fully integrated into active directory using the Identification client for security polices all clients on the network are set to use our core switch as their default gateway and the switch has a route set so it uses the firewalls IP as its gateway. Problem is the PA500 has a hard limit of 500 ARP table entries and we have a lot more than 500 network devices on the network, so when the firewall reaches its 500 ARP limit no more devices can connect to the internet, the only way i have found to try and allow other clients is to clear the ARP tables on the firewalls, but this causes other clients to have no internet connectivity. Does anyone have any ideas on how i can resolve this without upgrading to the larger firewalls?




L5 Sessionator

Check the Destination NAT rules ,if they have been configured with the entire subnet.

Try removing the interfaces from the static route config just keeping the next-hop as IP address.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!