Backend server doesn't talk to its own VIP - asymmetric routing

Hi,

 

We are running a standard load balancing setup - one external and one internal interface with tagged VLANs on each interface.

 

• The VIP lives on external side.
• The VIP uses a SNAT pool to translate the source IP to predefined SNAT IP.
• All backend servers are living behind internal interface.
• There are firewalls on each side of LTMs.
• There is a static route entry on the LTM to route the packets across the internal interface if the destination IP belongs to backend server subnet.

This is a working setup and we have no problem with it. The problem occurred just lately, when we got a request, to allow the backend server to communicate with its own VIP. As an explanation was given the fact, that there are several different services running on the same backend servers and one app needs to reach the other app, but through the VIP (instead of localhost) because of high availability.

 

In our topology this cannot work because of the static route we have on the LTM for the backend subnet.

 

• When the server connects to VIP, it will arrive on LTMs external interface through external firewall.
• LTM performs the SNAT and send the packet to the same backend server through the internal interface. Remember there are firewalls in between.
• Now the returning packet would arrive back to LTM through internal interface
• LTM would revert the SNAT, but also it would revert the destination IP, which will become the IP of the backend server.
• And because of the static route, the packet will be send out across internal interface, instead of external one.

So if I am assuming correctly, TCP SYN, SYN ACK should somehow make it through, but last ACK would get blocked on external firewall because that firewall did not see SYN ACK, hence will assume an incomplete 3 way handshake and block the traffic.

 

Do you have any idea how I can achieve to allow backend server to talk to its own VIP?

 

Thanks. Martin