Fixing nf conntrack table full . http, tcp,udp strange packet lost

From vpsget wiki
Jump to: navigation, search

If you face "strange packet lost" on your server while having a lot of connections you need to check the /var/log/messages (or similar log with kernel output, depends on Linux distro; in current example we are using Centos ) you most likely see: 

Mar 17 15:16:22 server-name kernel: [14743874.699664] VE0: nf_conntrack: table full, dropping packet.
Mar 17 15:16:22 server-name kernel: [14743874.750441] VE0: nf_conntrack: table full, dropping packet.
Mar 17 15:27:41 server-name kernel: [14744553.894616] VE0: nf_conntrack: table full, dropping packet.

In this case increasing the nf_conntrack value may be the solution. (but check the server utilization before).

Get current max value 

sysctl net.netfilter.nf_conntrack_max

or 

cat  /proc/sys/net/netfilter/nf_conntrack_max

Get the current connection tracking count: 

cat  /proc/sys/net/netfilter/nf_conntrack_count

In most systems the default value is net.netfilter.nf_conntrack_max = 65536 , you may start from increasing it x2. Increase the value live: 

sysctl -w net.netfilter.nf_conntrack_max=131072

In order to save this change after reboot add the next line into /etc/sysctl.conf: 

net.netfilter.nf_conntrack_max = 131072

Check logs and increase once again if need. Note that you should ensure that server have enough resources to handle it properly.

Retrieved from "https://wiki.vpsget.com/index.php?title=Fixing_nf_conntrack_table_full_._http,_tcp,udp_strange_packet_lost&oldid=7231"