Skip to content

nf_conntrack: table full, dropping packet

homepage-banner

Issue

In kern.log, there are many logs like nf_conntrack: table full, dropping packets.

sysctl -a | grep conntrack

cat /proc/net/nf_conntrack

# Check nf_conntrack_buckets hash table size
cat /proc/sys/net/netfilter/nf_conntrack_buckets

# Check how many active connections are being tracked
cat /proc/sys/net/netfilter/nf_conntrack_count

# Check the current max value of nf_conntrack
cat /proc/sys/net/netfilter/nf_conntrack_max

Fix

sysctl -w net.netfilter.nf_conntrack_max=1048576

echo 262144 > /sys/module/nf_conntrack/parameters/hashsize

echo 1048576 > proc/sys/net/netfilter/nf_conntrack_max

sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600

and also add into /etc/sysctl.conf

net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60

Reference

  • https://morganwu277.github.io/2018/05/26/Solve-production-issue-of-nf-conntrack-table-full-dropping-packet
  • https://kodeslogic.medium.com/how-to-fix-nf-conntrack-table-full-dropping-packet-a5fedc6c463d

Back to Table of Contents

Disclaimer
  1. License under CC BY-NC 4.0
  2. Copyright issue feedback me#imzye.com, replace # with @
  3. Not all the commands and scripts are tested in production environment, use at your own risk
  4. No personal information is collected.
Feedback