Fixing nf conntrack table full . http, tcp,udp strange packet lost

From vpsget wiki
Revision as of 16:47, 17 March 2017 by Ndi (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

If you face "strange packet lost" on your server while having a lot of connections you need to check the /var/log/messages (or similar log with kernel output, depends on Linux distro; in current example we are using Centos ) you most likely see:

Mar 17 15:16:22 server-name kernel: [14743874.699664] VE0: nf_conntrack: table full, dropping packet.
Mar 17 15:16:22 server-name kernel: [14743874.750441] VE0: nf_conntrack: table full, dropping packet.
Mar 17 15:27:41 server-name kernel: [14744553.894616] VE0: nf_conntrack: table full, dropping packet.

In this case increasing the nf_conntrack value may be the solution. (but check the server utilization before).

Get current max value

sysctl net.netfilter.nf_conntrack_max

or

cat  /proc/sys/net/netfilter/nf_conntrack_max

Get the current connection tracking count:

cat  /proc/sys/net/netfilter/nf_conntrack_count

In most systems the default value is net.netfilter.nf_conntrack_max = 65536 , you may start from increasing it x2. Increase the value live:

sysctl -w net.netfilter.nf_conntrack_max=131072

In order to save this change after reboot add the next line into /etc/sysctl.conf:

net.netfilter.nf_conntrack_max = 131072

Check logs and increase once again if need. Note that you should ensure that server have enough resources to handle it properly.