How to fix nf_conntrack: table full, dropping packet
What is nf_conntrack?
nf_conntrack is a Linux kernel module that allows the operating system to keep track of all network connections passing through it. It is used to implement Network Address Translation (NAT), firewalling, and other network services. nf_conntrack maintains a table of all active connections, including information about the source and destination IP addresses, port numbers, and connection state.
What Causes the “nf_conntrack: table full” Error?
The nf_conntrack module uses a finite amount of memory to keep track of all active connections. When the number of connections exceeds the amount of memory allocated for the connection tracking table, the system will start dropping new incoming packets, resulting in the “nf_conntrack: table full, dropping packet” error message.
How to Fix the “nf_conntrack: table full” Error
Issue
In kern.log
, there are many logs like nf_conntrack: table full, dropping packets
.
Check related parameter
sysctl -a | grep conntrack
cat /proc/net/nf_conntrack
# Check nf_conntrack_buckets hash table size
cat /proc/sys/net/netfilter/nf_conntrack_buckets
# Check how many active connections are being tracked
cat /proc/sys/net/netfilter/nf_conntrack_count
# Check the current max value of nf_conntrack
cat /proc/sys/net/netfilter/nf_conntrack_max
Fix
sysctl -w net.netfilter.nf_conntrack_max=1048576
echo 262144 > /sys/module/nf_conntrack/parameters/hashsize
echo 1048576 > proc/sys/net/netfilter/nf_conntrack_max
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
and also add into /etc/sysctl.conf
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
Conclusion
The “nf_conntrack: table full, dropping packet” error message is a common issue that can occur when running a Linux-based firewall or router. This error is caused by a full connection tracking table, which can be fixed by increasing the amount of memory allocated for the table. By following the steps outlined above, you should be able to resolve this issue and ensure that your system is running smoothly.
Reference
https://morganwu277.github.io/2018/05/26/Solve-production-issue-of-nf-conntrack-table-full-dropping-packet
https://kodeslogic.medium.com/how-to-fix-nf-conntrack-table-full-dropping-packet-a5fedc6c463d
Leave a message
Disclaimer
- Welcome to visit the knowledge base of SRE and DevOps!
- License under CC BY-NC 4.0
- Made with Material for MkDocs and improve writing by generative AI tools
- Copyright issue feedback me#imzye.com, replace # with @