How to Fix “nf_conntrack: table full, dropping packet”

Issue

Your server might be seeing a large number of

nf_conntrack: table full, dropping packet

In /var/log/messages.

This indicates that there are a large number of connections that are coming into the server.

The default maximum nf_conntrack_max value for CentOS is 65536.

While this is normally OK for a lightly used server, servers that experience a heavy amount of traffic may need to increase this value.

How To Fix

You may need to temporarily or permanently increase this value. You should consult with a qualified systems administrator before making these changes.

Check how many active connections are being tracked.

cat /proc/sys/net/netfilter/nf_conntrack_count

Check the current max value of nf_conntrack

cat /proc/sys/net/netfilter/nf_conntrack_max

Change the value temporarily to something higher (please note, that increasing this number will likely increase the system resource usage and load as it will be handling more connections at a time)

echo 524288 > /proc/sys/net/netfilter/nf_conntrack_max

To make this change permanent, please add the following line to the end /etc/sysctl.conf

net.netfilter.nf_conntrack_max = 524288

To help lessen the issues with a large number of connections, you may want to consider reducing the amount of time the server waits until it closes/timeouts the connections.

To do this, add the following lines to the end /etc/sysctl.conf

net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60

Still need help to apply the fix this issue Contact Us, Kodeslogic experts will be happy to help you…