ip_conntrack: table full

Recently 1 of the server under my responsibility very slow. The ping is always timeout. When i type “dmesg” it show;

Nov 1 22:23:40 bounty kernel: ip_conntrack: table full, dropping packet.
Nov 1 22:23:43 bounty last message repeated 9 times
.
.
.
.

I run this command to know how many connection on the server:

[[email protected] ~]# cat /proc/net/ip_conntrack | wc -l
34346

It can be fixed by restarting the server. After restart, the ping seem ok and no timeout. Run back the command:

[[email protected] ~]# cat /proc/net/ip_conntrack | wc -l
899

You might want to check this link also:

http://www.networksecurityarchive.org/html/Firewalls/2005-04/msg00098.html

http://www.wallfire.org/misc/netfilter_conntrack_perf.txt

http://support.imagestream.com/Resolving_ip_conntrack_table_full_Errors.html

If you dont want to restart the server, you can run this command:

echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max

Please note that:
– default CONNTRACK_MAX value will not be inferior to 128
– for systems with more than 1GB of RAM, default CONNTRACK_MAX value is
limited to 65536 (but can of course be set to more manually).

Leave a Reply

Your email address will not be published. Required fields are marked *