How to mitigate error “kernel: nf_conntrack: table full, dropping packet”

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2















We recently had a problem with one of our servers (Debian Squeeze) becoming unresponsive during heavy-ish load. Looking at the kernel logs, I think this is the cause:



kernel: nf_conntrack: table full, dropping packet


As I understand it, this is the conntrack module, which does some stateful tracking of connection, reporting that the table used to store the connection details is full.



From the research I have done, there seem to be two ways to mitigate this:



  1. Increase size of the table.


  2. Remove the module from the system altogether.


However, neither /proc/sys/net/ipv4/ip_conntrack_maxnor /proc/sys/net/ipv4/netfilter/ip_conntrack_max exist on this machine (there is no ipv4 catalogue under net).



If I do lsmod I get no results.



So, I'm a bit confused - perhaps someone could clarify the situation for me?



  • Is conntrack installed? If so, where are the settings? And why doesn't it show up in lsmod?

  • If conntrack is not installed, what is issuing the table full messages?

Thank you






debian networking







share|improve this question






















  • Really? lsmod|grep conntrack doesn't yield results? Maybe you're using IPv6?

    – Jan
    Sep 30 '14 at 11:06











  • Right, lsmod|grep conntrack comes back empty (as does lsmod on it's own). Definitely using ip4, although both ip4 and ip6 are configured on this server - it's a virtualized server if that makes any difference.

    – UpTheCreek
    Sep 30 '14 at 11:12











  • I have nf_conntrack_max directly in /proc/sys/net and in /proc/sys/net/netfilter.

    – Scyld de Fraud
    Sep 30 '14 at 12:01
















2















We recently had a problem with one of our servers (Debian Squeeze) becoming unresponsive during heavy-ish load. Looking at the kernel logs, I think this is the cause:



kernel: nf_conntrack: table full, dropping packet


As I understand it, this is the conntrack module, which does some stateful tracking of connection, reporting that the table used to store the connection details is full.



From the research I have done, there seem to be two ways to mitigate this:



  1. Increase size of the table.


  2. Remove the module from the system altogether.


However, neither /proc/sys/net/ipv4/ip_conntrack_maxnor /proc/sys/net/ipv4/netfilter/ip_conntrack_max exist on this machine (there is no ipv4 catalogue under net).



If I do lsmod I get no results.



So, I'm a bit confused - perhaps someone could clarify the situation for me?



  • Is conntrack installed? If so, where are the settings? And why doesn't it show up in lsmod?

  • If conntrack is not installed, what is issuing the table full messages?

Thank you






debian networking







share|improve this question






















  • Really? lsmod|grep conntrack doesn't yield results? Maybe you're using IPv6?

    – Jan
    Sep 30 '14 at 11:06











  • Right, lsmod|grep conntrack comes back empty (as does lsmod on it's own). Definitely using ip4, although both ip4 and ip6 are configured on this server - it's a virtualized server if that makes any difference.

    – UpTheCreek
    Sep 30 '14 at 11:12











  • I have nf_conntrack_max directly in /proc/sys/net and in /proc/sys/net/netfilter.

    – Scyld de Fraud
    Sep 30 '14 at 12:01














2












2








2


1






We recently had a problem with one of our servers (Debian Squeeze) becoming unresponsive during heavy-ish load. Looking at the kernel logs, I think this is the cause:



kernel: nf_conntrack: table full, dropping packet


As I understand it, this is the conntrack module, which does some stateful tracking of connection, reporting that the table used to store the connection details is full.



From the research I have done, there seem to be two ways to mitigate this:



  1. Increase size of the table.


  2. Remove the module from the system altogether.


However, neither /proc/sys/net/ipv4/ip_conntrack_maxnor /proc/sys/net/ipv4/netfilter/ip_conntrack_max exist on this machine (there is no ipv4 catalogue under net).



If I do lsmod I get no results.



So, I'm a bit confused - perhaps someone could clarify the situation for me?



  • Is conntrack installed? If so, where are the settings? And why doesn't it show up in lsmod?

  • If conntrack is not installed, what is issuing the table full messages?

Thank you






debian networking







share|improve this question














We recently had a problem with one of our servers (Debian Squeeze) becoming unresponsive during heavy-ish load. Looking at the kernel logs, I think this is the cause:



kernel: nf_conntrack: table full, dropping packet


As I understand it, this is the conntrack module, which does some stateful tracking of connection, reporting that the table used to store the connection details is full.



From the research I have done, there seem to be two ways to mitigate this:



  1. Increase size of the table.


  2. Remove the module from the system altogether.


However, neither /proc/sys/net/ipv4/ip_conntrack_maxnor /proc/sys/net/ipv4/netfilter/ip_conntrack_max exist on this machine (there is no ipv4 catalogue under net).



If I do lsmod I get no results.



So, I'm a bit confused - perhaps someone could clarify the situation for me?



  • Is conntrack installed? If so, where are the settings? And why doesn't it show up in lsmod?

  • If conntrack is not installed, what is issuing the table full messages?

Thank you






debian networking




debian networking






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Sep 30 '14 at 10:56









UpTheCreekUpTheCreek

3433516




3433516












  • Really? lsmod|grep conntrack doesn't yield results? Maybe you're using IPv6?

    – Jan
    Sep 30 '14 at 11:06











  • Right, lsmod|grep conntrack comes back empty (as does lsmod on it's own). Definitely using ip4, although both ip4 and ip6 are configured on this server - it's a virtualized server if that makes any difference.

    – UpTheCreek
    Sep 30 '14 at 11:12











  • I have nf_conntrack_max directly in /proc/sys/net and in /proc/sys/net/netfilter.

    – Scyld de Fraud
    Sep 30 '14 at 12:01


















  • Really? lsmod|grep conntrack doesn't yield results? Maybe you're using IPv6?

    – Jan
    Sep 30 '14 at 11:06











  • Right, lsmod|grep conntrack comes back empty (as does lsmod on it's own). Definitely using ip4, although both ip4 and ip6 are configured on this server - it's a virtualized server if that makes any difference.

    – UpTheCreek
    Sep 30 '14 at 11:12











  • I have nf_conntrack_max directly in /proc/sys/net and in /proc/sys/net/netfilter.

    – Scyld de Fraud
    Sep 30 '14 at 12:01

















Really? lsmod|grep conntrack doesn't yield results? Maybe you're using IPv6?

– Jan
Sep 30 '14 at 11:06





Really? lsmod|grep conntrack doesn't yield results? Maybe you're using IPv6?

– Jan
Sep 30 '14 at 11:06













Right, lsmod|grep conntrack comes back empty (as does lsmod on it's own). Definitely using ip4, although both ip4 and ip6 are configured on this server - it's a virtualized server if that makes any difference.

– UpTheCreek
Sep 30 '14 at 11:12





Right, lsmod|grep conntrack comes back empty (as does lsmod on it's own). Definitely using ip4, although both ip4 and ip6 are configured on this server - it's a virtualized server if that makes any difference.

– UpTheCreek
Sep 30 '14 at 11:12













I have nf_conntrack_max directly in /proc/sys/net and in /proc/sys/net/netfilter.

– Scyld de Fraud
Sep 30 '14 at 12:01






I have nf_conntrack_max directly in /proc/sys/net and in /proc/sys/net/netfilter.

– Scyld de Fraud
Sep 30 '14 at 12:01











1 Answer
1






active

oldest

votes


















1














I had the same issue on servers running with Ubuntu 18.04. Even though the nf_conntrack module was not loaded at startup, later during traffic spikes, messages were dropped (nf_conntrack: table full, dropping packet).



I'm not aware of a way to disable the functionality, but I ended up explicitly loading the module, so I could overwrite the table size.



First, make sure that nf_conntrack gets immediately loaded by including it in /etc/modules:



nf_conntrack


Then increase its table size, which otherwise will depend on the memory size of the server, by overwriting the defaults in /etc/sysctl.conf:



net.netfilter.nf_conntrack_max=262144
net.nf_conntrack_max=262144


To verify:



$ cat /proc/sys/net/netfilter/nf_conntrack_max 
262144


As said, it was tested on Ubuntu 18.04, but I would expect it to work also on Debian.



For some further background, why nf_conntrack might get later loaded, even if it is not present after booting up, this related answer has an example where the module gets automatically loaded when iptables is called. Adding it explicitly to /etc/modules eliminates that kind of complexity.






share|improve this answer
























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f158397%2fhow-to-mitigate-error-kernel-nf-conntrack-table-full-dropping-packet%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    I had the same issue on servers running with Ubuntu 18.04. Even though the nf_conntrack module was not loaded at startup, later during traffic spikes, messages were dropped (nf_conntrack: table full, dropping packet).



    I'm not aware of a way to disable the functionality, but I ended up explicitly loading the module, so I could overwrite the table size.



    First, make sure that nf_conntrack gets immediately loaded by including it in /etc/modules:



    nf_conntrack


    Then increase its table size, which otherwise will depend on the memory size of the server, by overwriting the defaults in /etc/sysctl.conf:



    net.netfilter.nf_conntrack_max=262144
    net.nf_conntrack_max=262144


    To verify:



    $ cat /proc/sys/net/netfilter/nf_conntrack_max 
    262144


    As said, it was tested on Ubuntu 18.04, but I would expect it to work also on Debian.



    For some further background, why nf_conntrack might get later loaded, even if it is not present after booting up, this related answer has an example where the module gets automatically loaded when iptables is called. Adding it explicitly to /etc/modules eliminates that kind of complexity.






    share|improve this answer





























      1














      I had the same issue on servers running with Ubuntu 18.04. Even though the nf_conntrack module was not loaded at startup, later during traffic spikes, messages were dropped (nf_conntrack: table full, dropping packet).



      I'm not aware of a way to disable the functionality, but I ended up explicitly loading the module, so I could overwrite the table size.



      First, make sure that nf_conntrack gets immediately loaded by including it in /etc/modules:



      nf_conntrack


      Then increase its table size, which otherwise will depend on the memory size of the server, by overwriting the defaults in /etc/sysctl.conf:



      net.netfilter.nf_conntrack_max=262144
      net.nf_conntrack_max=262144


      To verify:



      $ cat /proc/sys/net/netfilter/nf_conntrack_max 
      262144


      As said, it was tested on Ubuntu 18.04, but I would expect it to work also on Debian.



      For some further background, why nf_conntrack might get later loaded, even if it is not present after booting up, this related answer has an example where the module gets automatically loaded when iptables is called. Adding it explicitly to /etc/modules eliminates that kind of complexity.






      share|improve this answer



























        1












        1








        1







        I had the same issue on servers running with Ubuntu 18.04. Even though the nf_conntrack module was not loaded at startup, later during traffic spikes, messages were dropped (nf_conntrack: table full, dropping packet).



        I'm not aware of a way to disable the functionality, but I ended up explicitly loading the module, so I could overwrite the table size.



        First, make sure that nf_conntrack gets immediately loaded by including it in /etc/modules:



        nf_conntrack


        Then increase its table size, which otherwise will depend on the memory size of the server, by overwriting the defaults in /etc/sysctl.conf:



        net.netfilter.nf_conntrack_max=262144
        net.nf_conntrack_max=262144


        To verify:



        $ cat /proc/sys/net/netfilter/nf_conntrack_max 
        262144


        As said, it was tested on Ubuntu 18.04, but I would expect it to work also on Debian.



        For some further background, why nf_conntrack might get later loaded, even if it is not present after booting up, this related answer has an example where the module gets automatically loaded when iptables is called. Adding it explicitly to /etc/modules eliminates that kind of complexity.






        share|improve this answer















        I had the same issue on servers running with Ubuntu 18.04. Even though the nf_conntrack module was not loaded at startup, later during traffic spikes, messages were dropped (nf_conntrack: table full, dropping packet).



        I'm not aware of a way to disable the functionality, but I ended up explicitly loading the module, so I could overwrite the table size.



        First, make sure that nf_conntrack gets immediately loaded by including it in /etc/modules:



        nf_conntrack


        Then increase its table size, which otherwise will depend on the memory size of the server, by overwriting the defaults in /etc/sysctl.conf:



        net.netfilter.nf_conntrack_max=262144
        net.nf_conntrack_max=262144


        To verify:



        $ cat /proc/sys/net/netfilter/nf_conntrack_max 
        262144


        As said, it was tested on Ubuntu 18.04, but I would expect it to work also on Debian.



        For some further background, why nf_conntrack might get later loaded, even if it is not present after booting up, this related answer has an example where the module gets automatically loaded when iptables is called. Adding it explicitly to /etc/modules eliminates that kind of complexity.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Feb 21 at 20:40

























        answered Feb 21 at 20:31









        Philipp ClaßenPhilipp Claßen

        1,43542032




        1,43542032



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f158397%2fhow-to-mitigate-error-kernel-nf-conntrack-table-full-dropping-packet%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            -

            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
            Read more

            Bahrain

            Image
            For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
            Read more

            Postfix configuration issue with fips on centos 7; mailgun relay

            Image
            Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
            Read more