先临时调大看看效果
echo 655350 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo 10800 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
改完后观察了一段时间,发现服务器连接正常,没有再发生类似情况
修改/etc/sysctl.conf
net.ipv4.netfilter.ip_conntrack_max = 655360
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 10800
sysctl -p 立即生效
Resolution
First verify that the table is full by checking how many connections are currently being tracked:
[root@localhost ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
8192
Then compare to the maximum the system is set to handle in the ip_conntrack_max entry:
[root@localhost ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
8192
The ip_conntrack_max setting must be increased to resolve the problem.
To change the default value of ip_conntrack_max, modify /etc/sysctl.conf file and add the following entry:
net.ipv4.netfilter.ip_conntrack_max =
Then execute the following command to make the change take effect without reboot.
# sysctl -p
This value can also be dynamically changed by setting up a new value to /sys/module/ip_conntrack/parameters/hashsize
Root Cause
The ip_conntrack module uses a portion of the system memory to track
connections called a connection tracking table. The size of this table
is set when the ip_conntrack module is loaded, and is usually determined
automatically by a hash of the installed system RAM. For example, a
system with 256MB RAM will typically have a conntrack table of 8192
entries by default.
The maximum number of connections that can maintained is 8*hashsize of
the connection tracking module and each connection tracking requires
approximately 300bytes
To check the maximum conntrack entries available, look at the proc file system:
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_conntrack_max
8192
If the message in the system's logs is ip_conntrack: table full,
dropping packet. it means that the table is full, and packets that are
traversing the system's firewall are being dropped.
阅读(1359) | 评论(0) | 转发(0) |
