Problems when changing IP address of trusted networks' interface

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Problems when changing IP address of trusted networks' interface

Not applicable

I ran into a bit of a nasty problem last week. I am trying to bring my new PA-500 up and in my testing I specified that my trusted network's IP address was I could see everything on the trusted network, including a wireless controller as well as any other address on the network. I could ping devices, display MAC addresses vis ARP...and the holy of all holies, get out to the internet. When it was time to promote my PA-500 into production, I needed to change the address to because our wireless controller contains a captive portal our guests must view in order to agree to our AUP. At that point, the wireless controller was supposed redirect the traffic over to the default gateway for our trusted network. Pretty typical, eh? By the way, the PA-500 was also configured to be a DHCP server.

Well, the captive portal page from our wireless controller never displayed after changing the address to .1. I changed the DHCP information to provide a default gateway of .1 and that didn't help. I could not ping anything on the trusted network. And of course I could not get out to the internet. After several attempts to get this to work, I plugged back in my old firewall and everything was happy. I could ping other devices on the network and the captive portal worked wonderful.

What did I miss? What could I have done wrong?

TIA for your help!


L4 Transporter

It sounds like the devices (Switch) which were connecting to PAN had the old IP address associated with the mac of the PAN. Did you get a chance to verify this. I would suggest to clear arp on all upstream and downstream devices which the PAN is connected to when the IP address is changed. Hope this helps.


I could see where that might affect the wireless controller. I had a suspicion that something was getting stuck in an ARP table. I will try that and let you know. Thanks.

That's correct. If the PAN assumed the .1 IP of the previous FW, then ARP (at least associated with the .1 IP/MAC-Address) would need to be cleared on all upstream & downstream devices.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!