Home » It news » 20 May 2008 » 1,138 supporters » No Comment »

ip_conntrack: table full

20 May 2008 1,138 supporters No Comment

Recently 1 of the server under my responsibility very slow. The ping is always timeout. When i type “dmesg” it show;

Nov 1 22:23:40 bounty kernel: ip_conntrack: table full, dropping packet.
Nov 1 22:23:43 bounty last message repeated 9 times
.
.
.
.

I run this command to know how many connection on the server:

[root@svr6 ~]# cat /proc/net/ip_conntrack | wc -l
34346

It can be fixed by restarting the server. After restart, the ping seem ok and no timeout. Run back the command:

[root@svr6 ~]# cat /proc/net/ip_conntrack | wc -l
899

You might want to check this link also:

http://www.networksecurityarchive.org/html/Firewalls/2005-04/msg00098.html

http://www.wallfire.org/misc/netfilter_conntrack_perf.txt

http://support.imagestream.com/Resolving_ip_conntrack_table_full_Errors.html

If you dont want to restart the server, you can run this command:

echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max

Please note that:
– default CONNTRACK_MAX value will not be inferior to 128
– for systems with more than 1GB of RAM, default CONNTRACK_MAX value is
limited to 65536 (but can of course be set to more manually).




Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.