Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2776446
  • 博文数量: 505
  • 博客积分: 1552
  • 博客等级: 上尉
  • 技术积分: 2514
  • 用 户 组: 普通用户
  • 注册时间: 2007-09-23 18:24
文章分类

全部博文(505)

文章存档

2019年(12)

2018年(15)

2017年(1)

2016年(17)

2015年(14)

2014年(93)

2013年(233)

2012年(108)

2011年(1)

2009年(11)

分类: LINUX

2013-06-17 23:31:58

先临时调大看看效果
echo 655350 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max
echo 10800 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established
        改完后观察了一段时间,发现服务器连接正常,没有再发生类似情况

修改/etc/sysctl.conf
net.ipv4.netfilter.ip_conntrack_max = 655360
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 10800
sysctl -p 立即生效


Resolution
First verify that the table is full by checking how many connections are currently being tracked:
 

[root@localhost ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
8192
 
Then compare to the maximum the system is set to handle in the ip_conntrack_max entry:
 
[root@localhost ~]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
8192
 
The ip_conntrack_max setting must be increased to resolve the problem.
To change the default value of ip_conntrack_max, modify /etc/sysctl.conf file and add the following entry:
net.ipv4.netfilter.ip_conntrack_max =
Then execute the following command to make the change take effect without reboot.
 
# sysctl -p
 
This value can also be dynamically changed by setting up a new value to /sys/module/ip_conntrack/parameters/hashsize

Root Cause
The ip_conntrack module uses a portion of the system memory to track connections called a  connection tracking table. The size of this table is set when the ip_conntrack module is loaded, and is usually determined automatically by a hash of the installed system RAM. For example, a system with 256MB RAM will typically have a conntrack table of 8192 entries by default.
 
The maximum number of connections that can maintained is  8*hashsize of the connection tracking module and each connection tracking requires approximately 300bytes
 
To check the maximum conntrack entries available, look at the proc file system:
 
[root@localhost ~]# cat /proc/sys/net/ipv4/ip_conntrack_max
8192
 
If the message in the system's logs is ip_conntrack: table full, dropping packet. it means that the table is full, and packets that are traversing the system's firewall are being dropped.
阅读(1425) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~