Chinaunix首页 | 论坛 | 博客
  • 博客访问: 333280
  • 博文数量: 106
  • 博客积分: 1115
  • 博客等级: 少尉
  • 技术积分: 806
  • 用 户 组: 普通用户
  • 注册时间: 2006-08-04 08:06
文章分类

全部博文(106)

文章存档

2015年(4)

2014年(48)

2013年(15)

2012年(38)

2011年(1)

我的朋友

分类: LINUX

2012-03-13 05:26:05


What does the message 'ip_conntrack: table full, dropping packet.' in my system's messages log file mean? How can I fix this problem?
Issue
  • What does the message 'ip_conntrack: table full, dropping packet.' in system's messages log file mean? How can I fix this problem?
Environment
  • Red Hat Enterprise Linux
Resolution

First verify that the table is full by checking how many connections are currently being tracked:

[root@localhost ~]# cat /proc/sys/net/ipv4/netfilter/ipconntrackcount
8192

Then compare to the maximum the system is set to handle in the ipconntrackmax entry:

[root@localhost ~]# cat /proc/sys/net/ipv4/netfilter/ipconntrackmax 8192

The ipconntrackmax setting must be increased to resolve the problem.

To change the default value of ip_conntrack_max, modify /etc/sysctl.conf file and add the following entry:

net.ipv4.netfilter.ipconntrackmax =

Then execute the following command to make the change take effect without reboot.

# sysctl -p

This value can also be dynamically changed by setting up a new value to /sys/module/ip_conntrack/parameters/hashsize

Root Cause

The ip_conntrack module uses a portion of the system memory to track connections called a  connection tracking table. The size of this table is set when the ip_conntrack module is loaded, and is usually determined automatically by a hash of the installed system RAM. For example, a system with 256MB RAM will typically have a conntrack table of 8192 entries by default.

The maximum number of connections that can maintained is  8*hashsize of the connection tracking module and each connection tracking requires approximately 300bytes

To check the maximum conntrack entries available, look at the proc file system:

[root@localhost ~]# cat /proc/sys/net/ipv4/ipconntrackmax
8192

If the message in the system's logs is ip_conntrack: table full, dropping packet. it means that the table is full, and packets that are traversing the system's firewall are being dropped.

Diagnostic Steps
Component

Duplicate(s) Info
Duplicates

阅读(752) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~