Ip conntrack: table full, dropping packet
===========
Recently came across a situation were there server was dropping packets at high rate. The ping command shows 60-90% packet loss.
This occurs when maximum simultaneous connections from your machine exceeds. so apparently your ip_conntrack table is full, you can review your table with command:
# cat /proc/net/ip_conntrack | wc -l
The max number of connections is set in
# cat /proc/sys/net/ipv4/ip_conntrack_max
You can increase it with:
# echo "some_number" > /proc/sys/net/ipv4/ip_conntrack_max
But be sure to use not much high value as it will use more RAM.
Note: For 64 mb ram nearly 7000 connection can be setup as ip_conntrack_max. Also, each tracked connection eats about 350 bytes of non-swappable kernel memory!
Comment
-------
Since /proc is a Virtual file System the changes made in it will reset after restarting the IPTABLES or after a server reboot.
So it is always better you give the ip_conntrack_max value in the '/etc/sysctl.conf' file and then to changes to take affect use the following command:
sysctl -p
Which loads the sysctl settings.
Note: CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32) where x is the number of bits in a pointer (for example, 32 or 64 bits)
No comments:
Post a Comment
Note: only a member of this blog may post a comment.