ip_conntrack_max table full dropping packets

If you notice the above message in syslog, it looks like the conntrack database doesn’t have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system’s maximum memory size.

Some symptoms can be:

  • Slow web-interface, or cannot connect at all to web interface
  • Slowing transfer of data, e.g. browsing, after a reboot
  • Not responding to ping

When this ‘slowdown’ occurs and the machine doesn’t respond to pings nor Web Interface requests, you still can check what’s going on:

Login to machine and check if your problem is caused by TCP or UDP connections.
From the Console:

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
4096
# grep -c ^tcp /proc/net/ip_conntrack
3693
# grep -c ^udp /proc/net/ip_conntrack
115

You may also view syslog messages:

# cat /var/log/messages

  1. First, you’ll see ‘full, dropping packet.’ messages followed by ‘messages suppressed.’
  2. Eventually, it will get verbose and you’ll see logs similar to the following :

kernel: ip_conntrack: table full, dropping packet.
kernel: NET: 15 messages suppressed.
kernel: ip_conntrack: table full, dropping packet.
kernel: NET: 12 messages suppressed.

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!
To increase this limit to e.g. 12000, type:

sysctl -w net.ipv4.netfilter.ip_conntrack_max=12000

Alternatively, add the following line to /etc/sysctl.conf file:

net.ipv4.netfilter.ip_conntrack_max=12000

The following will tell you how many sessions are open right now:

# wc -l /proc/net/ip_conntrack

Output:

5000 /proc/net/ip_conntrack

Be the first to comment

Leave a Reply

Your email address will not be published.


*


CommentLuv badge