Ip conntrack: table full, dropping packet

 Ip conntrack: table full, dropping packet
===========
Recently came across a situation were there server was dropping packets at high rate. The ping command shows 60-90% packet loss.

This occurs when maximum simultaneous connections from your machine exceeds. so apparently your ip_conntrack table is full, you can review your table with command:

# cat /proc/net/ip_conntrack | wc -l

The max number of connections is set in

# cat /proc/sys/net/ipv4/ip_conntrack_max

You can increase it with:

# echo "some_number" > /proc/sys/net/ipv4/ip_conntrack_max

But be sure to use not much high value as it will use more RAM.
 
Note: For 64 mb ram nearly 7000 connection can be setup as ip_conntrack_max. Also, each tracked connection eats about 350 bytes of non-swappable kernel memory!

Comment
-------
Since /proc is a Virtual file System the changes made in it will reset after restarting the IPTABLES or after a server reboot.

So it is always better you give the ip_conntrack_max value in the '/etc/sysctl.conf' file and then to changes to take affect use the following command:

sysctl -p

Which loads the sysctl settings.

Note: CONNTRACK_MAX = RAMSIZE (in bytes) / 16384 / (x / 32) where x is the number of bits in a pointer (for example, 32 or 64 bits)