Reese Knowledgebase

ip_conntrack: table full, dropping packet

View Kristian Reese's profile on LinkedIn


If you like this article, please +1 or Recommend via FB with the provided buttons above:

Article ID: 116
by: Reese K.
Posted: 18 Jul, 2013
Last updated: 19 Jul, 2013
Views: 1810

ip_conntrack: table full, dropping packet

At one point, there was high call volume into our support center of customers complaining about severe lag.  One common denominator was that the customer base who called in happened to all reside on the same server, so investigation into the matter focused on that one particular system.

The server's load average was really low, and had plenty of free RAM, though connectivity to customers hosted websites were lagging.  After running dmesg, I noticed "ip_conntrack: table full, dropping packet".  After observing netstat -an for a bit, it was clear the server was being used to send SPAM.  After blocking the connections and securing the customer SMTP passwords, the counts came down and the lag ceased.

The following command can be used to see what the max setting is for this kernel parameter:

/sbin/sysctl net.ipv4.ip_conntrack_max

or

cat /proc/sys/net/ipv4/ip_conntrack_max

To see how many you are using at present:

wc -l /proc/net/ip_conntrack

or

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

The setting can be adjusted, and if to be made permanent, make the change in /etc/sysctl.conf.  In this example, the max setting is increased to 65535.

echo "net.ipv4.ip_conntrack_max = 65535" > /etc/sysctl.conf
/sbin/sysctl -w

To increase it temporarily (non-persistent across reboots)

echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max

This article was:   Helpful | Not Helpful
Prev   Next
The file /boot/grub/stage1 not read correctly     Setting relayhost in postfix

RSS