firewall packet drop at nf_conntrack

mada

Member
Aug 16, 2017
99
3
13
35
i have like 18 Cluster server they all shared all firewall rules all ok expect one node once open the firewall all connection drops and in the logs

Code:
Oct  4 05:31:29 xx kernel: [250319.678513] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:29 xx kernel: [250319.678799] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.679641] net_ratelimit: 7997 callbacks suppressed

Oct  4 05:31:34 xx kernel: [250324.679655] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.679796] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.680716] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.680754] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.681193] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.682704] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.683504] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.685001] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.687650] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.688099] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:39 xx kernel: [250329.683568] net_ratelimit: 7848 callbacks suppressed

Oct  4 05:31:39xx kernel: [250329.683581] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:39 xx kernel: [250329.690224] nf_conntrack: nf_conntrack: table full, dropping packet

once turnoff the firewall the packet back to normal.


Code:
pveversion --v
proxmox-ve: 5.4-2 (running kernel: 4.15.18-21-pve)
pve-manager: 5.4-13 (running version: 5.4-13/aee6f0ec)
pve-kernel-4.15: 5.4-9
pve-kernel-4.15.18-21-pve: 4.15.18-48
pve-kernel-4.15.18-20-pve: 4.15.18-46
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: not correctly installed
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-12
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-55
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-14
libpve-storage-perl: 5.0-44
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-7
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-28
pve-cluster: 5.0-38
pve-container: 2.0-40
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-22
pve-firmware: 2.0-7
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-4
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-54
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
 
Hi,
you might want to increase the max number of connections to track in the firewall setting of the node. Also make sure the established connections are legit.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!