"nf_conntrack: table full, dropping packet" even though nf_conntrack_count is much less than nf_conntrack_max

iptables conntrack

Solution 1:

I had the same issue a while back on a Squid system.

One of the most effective way I found to reduce the size of the conntrack was to reduce the default TCP timeout in the kernel.

The net.netfilter.nf_conntrack_tcp_timeout_established is set to 432000 by default. That's right...that's 5 days.

To set the value you can issue the following command;

sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=X

And if you want that change to be persistent you need to add the line to /etc/sysctl.conf.

After reducing that value to 600 the conntrack count was steadily going down over a couple of days.

I used sysctl net.netfilter.nf_conntrack_max and sysctl net.netfilter.nf_conntrack_count in order to get the values.

Related

mysqldump create database if not exist
What's a "Xerox word"?
Term for a trademarked word that is used as a synonym for the item it represents [duplicate]
Proper use of comma in a sentence
Compound preposition
Meaning of Erin [closed]
Why is the verb for "pretexts ... and necessity ... was exposed" used in the singular in this quotation? [closed]
Is using "Says" in the beginning of a sentence correct?
What does "lean forward" means in that context
“Click Save button” vs “Click Save” [closed]
Origins of zzzzz (indicating sleep) [duplicate]
That's a "fair" question