ip_conntrack: CT 0: table full, dropping packet

Problem: ip_conntrack table full in CentOS

tail /var/log/messages
kernel: printk: 125 messages suppressed.
kernel: ip_conntrack: CT 0: table full, dropping packet.
kernel: printk: 99 messages suppressed.
kernel: ip_conntrack: CT 0: table full, dropping packet.
kernel: printk: 94 messages suppressed.
...

#check max ip_conntrack

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536
#or
sysctl net.ipv4.netfilter.ip_conntrack_max
net.ipv4.netfilter.ip_conntrack_max = 65536

#check ip_conntrack

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
65536
#or
wc -l /proc/net/ip_conntrack
65536 /proc/net/ip_conntrack

Solutions: 1.Add max ip_conntrack / 2. Remove the tracking with iptables
1.add max ip_conntrack

sysctl -w net.ipv4.netfilter.ip_conntrack_max=131072
net.ipv4.netfilter.ip_conntrack_max = 131072
#or
echo "net.ipv4.netfilter.ip_conntrack_max = 131072" >> /etc/sysctl.conf
/sbin/sysctl -p

*when You tried and found out that after server rebooted, ip_conntrack_max still use default value. Add the following in the /etc/rc.local file.

echo "net.ipv4.netfilter.ip_conntrack_max = 65535" >> /etc/sysctl.conf
/sbin/sysctl -w
/sbin/sysctl -p

2. remove the tracking with iptables

iptables -t raw -A PREROUTING -j NOTRACK
iptables -t raw -A OUTPUT -j NOTRACK
service iptables save

check ip_conntrack again.

 September 21, 2010

 Blog | #CentOS #Command

	Facebook Twitter Line It Telegram Pinterest Email