Kernel conntrack Table is Full


#1

Summary:

/var/log/messages is getting flooded with the following message:

nf_conntrack: table full dropping packet error message

This error message usually means the nf_conntrack kernel maximum number assigned value has been reached.

This may be caused by heavy traffic on a node or possible capacity issue. We’ve noticed this issue on certain ISP with high traffic on their routers.

Steps to Diagnose the issue:

  1. Run the following command to check the limit of nf_conntrack value assigned:
  • $ sudo /sbin/sysctl -a | grep -i nf_conntrack_max
  1. Check current sysctl nf_conntrack active connections
  • $ sudo /sbin/sysctl net.netfilter.nf_conntrack_count
  • or $ sudo wc -l /proc/net/ip_conntrack

Resolution:

Increase Maximum number of nf_conntrack to a higher value. (May be a temporary fix):

  1. Add the following to /etc/sysctl.conf
  • net.netfilter.nf_conntrack_max = NEWMAXCONNTRACK
  • Reload sysctl $ sysctl -p /etc/sysctl.conf
  1. Also increase the conntrack Hash table hashsize using the following formula:
  • HASHSIZE = nf_conntrack_max / 4
  • $ sudo echo HASHSIZE > /sys/module/nf_conntrack/parameters/hashsize

Note: to make this permanent add above line to /etc/rc.local