Recently 1 of the server under my responsibility very slow. The ping is always timeout. When i type “dmesg” it show;
Nov 1 22:23:40 bounty kernel: ip_conntrack: table full, dropping packet.
Nov 1 22:23:43 bounty last message repeated 9 times
.
.
.
.
I run this command to know how many connection on the server:
[root@svr6 ~]# cat /proc/net/ip_conntrack | wc -l
34346
It can be fixed by restarting the server. After restart, the ping seem ok and no timeout. Run back the command:
[root@svr6 ~]# cat /proc/net/ip_conntrack | wc -l
899
You might want to check this link also:
http://www.networksecurityarchive.org/html/Firewalls/2005-04/msg00098.html
http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
http://support.imagestream.com/Resolving_ip_conntrack_table_full_Errors.html
If you dont want to restart the server, you can run this command:
echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
Please note that:
– default CONNTRACK_MAX value will not be inferior to 128
– for systems with more than 1GB of RAM, default CONNTRACK_MAX value is
limited to 65536 (but can of course be set to more manually).