nf_conntrack: table full, dropping packet

Issue

In kern.log, there are many logs like nf_conntrack: table full, dropping packets.

Check related parameter

sysctl -a | grep conntrack

cat /proc/net/nf_conntrack

# Check nf_conntrack_buckets hash table size
cat /proc/sys/net/netfilter/nf_conntrack_buckets

# Check how many active connections are being tracked
cat /proc/sys/net/netfilter/nf_conntrack_count

# Check the current max value of nf_conntrack
cat /proc/sys/net/netfilter/nf_conntrack_max

Fix

sysctl -w net.netfilter.nf_conntrack_max=1048576

echo 262144 > /sys/module/nf_conntrack/parameters/hashsize

echo 1048576 > proc/sys/net/netfilter/nf_conntrack_max

sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600

and also add into /etc/sysctl.conf

net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60

Reference

• https://morganwu277.github.io/2018/05/26/Solve-production-issue-of-nf-conntrack-table-full-dropping-packet
• https://kodeslogic.medium.com/how-to-fix-nf-conntrack-table-full-dropping-packet-a5fedc6c463d

Back to Table of Contents

Disclaimer

1. License under CC BY-NC 4.0
2. Copyright issue feedback me#imzye.com, replace # with @
3. Not all the commands and scripts are tested in production environment, use at your own risk
4. No personal information is collected.

Feedback

Send