This article describes how to configure a specific source IP to access a specific VIP & all other source IPs to use a different VIP (external IP remains same).

IP schema used, in this example:

VIP1:

External IP: 10.1.1.2.

Map to IPV4 address: 10.177.6.18.

Source address: 10.170.7.232/32.

VIP2:

External IP: 10.1.1.2.

Map to IPV4 address: 10.177.6.19.

Configure VIP1 as below with a specific source IP address:

Configure VIP2 as below without any optional filters:

The source address in the optional filter can be added through the CLI session too in the following way.

CLI:

config firewall vip
    edit "<VIP>"
        set src-filter "10.170.7.232/32" <--
        set extip 10.1.1.2
        set mappedip "10.177.6.18"
        set extintf "any"
    next
end

Important Note: The VIP with the specific Source IP filter should be on top of the list.

If the VIP entries are already configured, then to change the order of VIP through the CLI, use the following commands:

config firewall vip

    move <VIP NAME> [before/after] <VIP NAME>

end

Configure the firewall policies as required:

Verification:

When accessing from filtered source IP(10.170.7.232).

Debug flow:

id=65308 trace_id=31 func=print_pkt_detail line=5861 msg="vd-root:0 received a packet(proto=1, 10.170.7.232:1->10.1.1.2:2048) tun_id=10.5.23.225 from ipsec. type=8, code=0, id=1, seq=31."

id=65308 trace_id=31 func=init_ip_session_common line=6047 msg="allocate a new session-0000816d, tun_id=10.5.23.225"

id=65308 trace_id=31 func=get_new_addr line=1249 msg="find DNAT: IP-10.177.6.18, port-0(fixed port)"

id=65308 trace_id=31 func=fw_pre_route_handler line=185 msg="VIP-10.177.6.18:1, outdev-unknown"

id=65308 trace_id=31 func=__ip_session_run_tuple line=3448 msg="DNAT 10.1.1.2:8->10.177.6.18:1"

id=65308 trace_id=31 func=__vf_ip_route_input_rcu line=1994 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"

id=65308 trace_id=31 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=37, len=3"

id=65308 trace_id=31 func=fw_forward_handler line=1009 msg="Allowed by Policy-7:"

When accessing from any IP other than the source IP(10.170.7.232).

Debug flow:

id=65308 trace_id=33 func=print_pkt_detail line=5861 msg="vd-root:0 received a packet(proto=1, 10.170.6.18:1->10.1.1.2:2048) tun_id=10.5.23.225 from ipsec. type=8, code=0, id=1, seq=17."

id=65308 trace_id=33 func=init_ip_session_common line=6047 msg="allocate a new session-000096c9, tun_id=10.5.23.225"

id=65308 trace_id=33 func=get_new_addr line=1249 msg="find DNAT: IP-10.177.6.19, port-0(fixed port)"

id=65308 trace_id=33 func=fw_pre_route_handler line=185 msg="VIP-10.177.6.19:1, outdev-unknown"

id=65308 trace_id=33 func=__ip_session_run_tuple line=3448 msg="DNAT 10.1.1.2:8->10.177.6.19:1"

id=65308 trace_id=33 func=__vf_ip_route_input_rcu line=1994 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"

id=65308 trace_id=33 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=37, len=3"

id=65308 trace_id=33 func=fw_forward_handler line=1009 msg="Allowed by Policy-8:"

Similarly, this behavior is also seen if the external IP remains the same, but the interface is different. Virtual IPs are applied in a top-down approach:

Two Virtual IPs mapping the same external IP to two different interfaces:

In Overlap-vip, the following source filter is applied:

Debug flow example of Overlap-vip being matched: 

id=65308 trace_id=16 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=6, 10.240.240.1:14857->172.16.1.254:3389) tun_id=10.10.10.2 from HQ-ADVPN. flag [S], seq 2589991994, ack 0, win 65535"
id=65308 trace_id=16 func=ipsec_spoofed4 line=243 msg="src ip 10.240.240.1 match selector 0 range 0.0.0.0-255.255.255.255"
id=65308 trace_id=16 func=init_ip_session_common line=6110 msg="allocate a new session-000023b8"
id=65308 trace_id=16 func=get_new_addr line=1274 msg="find DNAT: IP-10.0.1.1, port-3389"
id=65308 trace_id=16 func=fw_pre_route_handler line=191 msg="VIP-10.0.1.1:3389, outdev-HQ-ADVPN"
id=65308 trace_id=16 func=__ip_session_run_tuple line=3474 msg="DNAT 172.16.1.254:3389->10.0.1.1:3389"
id=65308 trace_id=16 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"
id=65308 trace_id=16 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=5, len=2"
id=65308 trace_id=16 func=fw_forward_handler line=998 msg="Allowed by Policy-4:"

Debug flow example of Overlap-vip2 being matched:

HQ-FW # id=65308 trace_id=31 func=print_pkt_detail line=5920 msg="vd-root:0 received a packet(proto=6, 10.255.255.1:19033->172.16.1.254:3389) tun_id=11.11.11.2 from HQ-ADVPN2. flag [S], seq 1381208464, ack 0, win 65535"
id=65308 trace_id=31 func=ipsec_spoofed4 line=243 msg="src ip 10.255.255.1 match selector 0 range 0.0.0.0-255.255.255.255"
id=65308 trace_id=31 func=init_ip_session_common line=6110 msg="allocate a new session-000027cf"
id=65308 trace_id=31 func=get_new_addr line=1274 msg="find DNAT: IP-10.0.1.2, port-3389"
id=65308 trace_id=31 func=fw_pre_route_handler line=191 msg="VIP-10.0.1.2:3389, outdev-HQ-ADVPN2"
id=65308 trace_id=31 func=__ip_session_run_tuple line=3474 msg="DNAT 172.16.1.254:3389->10.0.1.2:3389"
id=65308 trace_id=31 func=__vf_ip_route_input_rcu line=1988 msg="find a route: flag=00000000 gw-0.0.0.0 via port3"
id=65308 trace_id=31 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=13, len=2"
id=65308 trace_id=31 func=fw_forward_handler line=998 msg="Allowed by Policy-4:"

Troubleshooting:

diagnose debug reset

diagnose debug flow filter clear

diagnose debug flow filter addr x.x.x.x  <- x.x.x.x is the source IP from where accessing the VIP.

diagnose debug flow trace start 255

diagnose debug enable

Once traffic is initiated and the issue is reproduced, stop the debug using the below commands.

To stop the debug:

diagnose debug disable

diagnose debug reset

Related article:

Technical Tip: Limiting VIP access from specific sources.