nf_conntrack: table full, dropping packet
Issue
In kern.log
, there are many logs like nf_conntrack: table full, dropping packets
.
Check related parameter
sysctl -a | grep conntrack
cat /proc/net/nf_conntrack
# Check nf_conntrack_buckets hash table size
cat /proc/sys/net/netfilter/nf_conntrack_buckets
# Check how many active connections are being tracked
cat /proc/sys/net/netfilter/nf_conntrack_count
# Check the current max value of nf_conntrack
cat /proc/sys/net/netfilter/nf_conntrack_max
Fix
sysctl -w net.netfilter.nf_conntrack_max=1048576
echo 262144 > /sys/module/nf_conntrack/parameters/hashsize
echo 1048576 > proc/sys/net/netfilter/nf_conntrack_max
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
and also add into /etc/sysctl.conf
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
Reference
https://morganwu277.github.io/2018/05/26/Solve-production-issue-of-nf-conntrack-table-full-dropping-packet
https://kodeslogic.medium.com/how-to-fix-nf-conntrack-table-full-dropping-packet-a5fedc6c463d
Back to Table of Contents
Disclaimer
- License under
CC BY-NC 4.0
- Copyright issue feedback
me#imzye.com
, replace # with @ - Not all the commands and scripts are tested in production environment, use at your own risk
- No personal information is collected.
Feedback