ip_conntrack: table full, dropping packet

The ip_conntrack module, which iptables uses, uses a portion of the system memory to track connections called a connection tracking table. The size of this table is set when the ip_conntrack module is loaded, and is usually determined automatically by a hash of the installed system RAM. For example, a system with 256MB RAM will typically have a conntrack table of 8192 entries by default.

If you are seeing the message in the system's logs, "ip_conntrack: table full, dropping packet." it means that the table is full, and packets that are traversing the system's firewall are being dropped.

In order to increase the maximum value, you must install the kernel-devel package on the system, then reboot the server.

# yum install kernel-devel

# reboot

Now, check to see what the current maximum is set to.

# cat /proc/sys/net/ipv4/ip_conntrack_max
65536

You can now use echo to increase this number. Usually increasing it by double the existing value is good practice.

# echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max

Check to make sure your ip_conntrack table is getting bigger.

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
65750

Since you are inserting this into the live system, when rebooting, this will go back to the default setting. To make this a permanent change in your system, modify the /etc/sysctl.conf file, and add this value, and a comment of your choice.

# echo “net.ipv4.ip_conntrack_max = 131072” >> /etc/sysctl.conf

Some information taken from the Red Hat Knowledgebase.

http://kbase.redhat.com/faq/docs/DOC-8722

Related Articles

No related articles were found.

Attachments

No attachments were found.

Visitor Comments

No visitor comments posted. Post a comment