The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.
Summary:
/var/log/messages is getting flooded with the following message:
nf_conntrack: table full dropping packet error message
This error message usually means the nf_conntrack kernel maximum number assigned value has been reached.
This may be caused by heavy traffic on a node or possible capacity issue. We’ve noticed this issue on certain ISP with high traffic on their routers.
Steps to Diagnose the issue:
- Run the following command to check the limit of nf_conntrack value assigned:
$ sudo /sbin/sysctl -a | grep -i nf_conntrack_max
- Check current sysctl nf_conntrack active connections
$ sudo /sbin/sysctl net.netfilter.nf_conntrack_count- or
$ sudo wc -l /proc/net/ip_conntrack
Resolution:
Increase Maximum number of nf_conntrack to a higher value. (May be a temporary fix):
- Add the following to
/etc/sysctl.conf
net.netfilter.nf_conntrack_max = NEWMAXCONNTRACK- Reload sysctl
$ sysctl -p /etc/sysctl.conf
- Also increase the conntrack Hash table hashsize using the following formula:
HASHSIZE = nf_conntrack_max / 4$ sudo echo HASHSIZE > /sys/module/nf_conntrack/parameters/hashsize
Note: to make this permanent add above line to /etc/rc.local
Notes
This article also discusses the relationship between the RAM size and conntrack.
Keywords
CONNTRACK TABLE FULL PACKET DROP NF_CONNTRACK_MAX
Timestamp
March 2021