PT. Hawk Teknologi Solusi

Silahkan Cari Disini

Jumat, 20 Maret 2009

Solve Problem with nf_conntrack: table full, dropping packet

When i have the problem with "nf_conntrack: table full, dropping packet"
the problem was solved after i read this article from:


http://paulroberts69.spaces.live.com/blog/cns!665BC38F152E1206!1645.entry

nf_conntrack: table full, dropping packet.

If you see this message "nf_conntrack: table full, dropping packet" in your syslog on a Linux box, it's likely that it's having comms problems. I saw this recently on a DNS server that looked like it was being attacked. The problem is that when this happens, normal DNS resolution is interrupted.

I haven't found a decent solution yet, but it seems that if the system has lots of RAM then you can increase the nf_conntrack_max kernel parameter (my system is running iptables, which I assume the "netfilter" module has something to do with).

On a 2.6 kernel, you can go to /proc/sys/net/netfilter and check some of the values. For instance, nf_conntrack_count shows you the current value while nf_conntrack_max is the maximum value that is set.

You can just cat these values or use sysctl to view them:

# sysctl net.netfilter.nf_conntrack_max
net.netfilter.nf_conntrack_max = 65536

# sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 45033

To change the value, use the -w switch (in this example I've doubled the value):

# sysctl -w net.netfilter.nf_conntrack_max=131072

I think that in order to make this permanent across reboots, you'll need to add this line to the bottom of /etc/sysctl.conf:

net.netfilter.nf_conntrack_max=131072


another reference
TCP Tuning Guide:

http://fasterdata.es.net/TCP-tuning/linux.html

Tidak ada komentar: