For details on cookie usage on our site, read our Privacy Policy
IP Sec VPN Paloalto - Starlink
- LIVEcommunity
- Discussions
- General Topics
- IP Sec VPN Paloalto - Starlink
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
IP Sec VPN Paloalto - Starlink
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-27-2023 09:16 AM
I'm testing Starlink business and having issues passing traffic over my tunnel. This remote site connects to our data center via an IPsec tunnel. I can get the tunnel up and traceroute to the remote side of the tunnel, but I'm unable to pass traffic. I have "Enable NAT Traversal" selected on my IKE Gateway. The Starlink is set to IP passthrough.
Any help would be appreciated.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-27-2023 11:23 AM
If you can traceroute to other side over the tunnel it means that some traffic does cross the tunnel successfully right?
Palo Alto Networks certified from 2011
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-28-2023 01:33 PM
Yes, I agree, however, I'm unable to ping the management interface of the PA-220. Also from the remote side, I can't ping the gateway that is on the PA-220 for any of my vlans and my Cisco phones do not register.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-28-2023 05:59 PM
Both sides have Palo?
Do you have access to firewalls on both side?
Palo Alto Networks certified from 2011
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-29-2023 08:31 AM
Yes, both sides have Palo Altos. When I'm on-site I have access to both firewalls. I have to unplug the Starlink cable to keep my other tunnel running.
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-29-2023 08:47 AM - edited 03-29-2023 08:48 AM
Check firewall policies on both sides if they permit traffic to/from tunnel zone.
Can you share screenshot of working and not working traffic log from both sides and have at least those columns visible.
Palo Alto Networks certified from 2011
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-04-2023 09:30 AM
Thank you for your response. Both sides have policies that permit traffic to/from the tunnel zone. I have another circuit that works with no issues at this site. However, when getting the screenshots you requested I noticed that on Starlink most of the traffic goes Interzone-default policy and is denied.
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-04-2023 02:37 PM
Hello,
Do you have policies in place to allow the traffic to flow via the tunnel? Also how is the 'default', 0.0.0.0/0 route getting advertised on the 'remote' side, or is it a static route?
Regards,
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-04-2023 02:39 PM
Hello,
Sorry I didnt see the traffic screen shots before. But it looks like there are missing policies so the traffic is hitting the 'default' policies.
Regards,
- Is there a newer eval than 10.0.4? in VM-Series in the Private Cloud
- Trigger a usecase by sending an email to an email address (Dedicated) owned by Paloalto in Cortex XSOAR Discussions
- CLI guide needed for Paloalto FW in General Topics
- one of the user unable to receive E mail from Paloalto in General Topics
- Need help to achieve IPsec VPN failover between Paloalto to Meraki in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
