Forum Discussion

Narendren_S's avatar
Narendren_S
Icon for Nimbostratus rankNimbostratus
Dec 26, 2013

Hi Nick, I understood it is a single arm LB setup where your backend servers are not behind the LB.

In this setup, you should enable SNAT to achieve the symmetric traffic flow as shown below.

By Assuming Server's gateway as your L3 device which is having internet connection

Forward Path
End client-->Internet-->L3 Device-->Loadbalancer--->L3 Device-->Backend server
!
Reverse Path
Backend server-->L3 Device-->Loadbalancer-->L3 Device-->Internet-->End Client

In case, if SNAT is not enabled, then traffic flow will be assymetric as shown below

   Forward Path
    End client-->Internet-->L3 Device-->Loadbalancer--->L3 Device-->Backend server
    !
    Reverse Path
    Backend server-->L3 Device-->Internet-->End Client

The traffic flow should be symmetric to control and process the traffic completely by Load balancer and firewall.

So, in the single arm setup (If server gateway is not LB), please enable SNAT (Auto-map).

It will solve your issues.

Function of SNAT

If SNAT is enabled at LB, at TCP/HTTP header source IP of client requests get changed to Interface IP of loadbalance on which backend servers are routed.(obviously only one production NIC at single arm setup).

Since the traffic from LB to backend server communication source IP will be Loadbalancer interface IP, response traffic from server will be get back to the load balancer. And loadbalancer will process the traffic and respond back to the end client.

In case, if SNAT is not enabled, Processing of response traffic at LB will not happen and hence the connection failure.

If there is a firewall as your WAN L3 device, it will also drop asmmetric connections, since it's behavior is also to drop the asymmetric connections by default.