ip_conntrack: table full, dropping packet

ip_conntrack: table full, dropping packet
At one point, there was high call volume into our support center of customers complaining about severe lag. One common denominator was that the customer base who called in happened to all reside on the same server, so investigation into the matter focused on that one particular system.

The server’s load average was really low, and had plenty of free RAM, though connectivity to customers hosted websites were lagging. After running dmesg, I noticed “ip_conntrack: table full, dropping packet”. After observing netstat -an for a bit, it was clear the server was being used to send SPAM. After blocking the connections and securing the customer SMTP passwords, the counts came down and the lag ceased.

The following command can be used to see what the max setting is for this kernel parameter:

/sbin/sysctl net.ipv4.ip_conntrack_max

or

cat /proc/sys/net/ipv4/ip_conntrack_max

To see how many you are using at present:

wc -l /proc/net/ip_conntrack

or

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

The setting can be adjusted, and if to be made permanent, make the change in /etc/sysctl.conf. In this example, the max setting is increased to 65535.

echo “net.ipv4.ip_conntrack_max = 65535” > /etc/sysctl.conf
/sbin/sysctl -w

To increase it temporarily (non-persistent across reboots)

echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max