[SOLVED] I've error kernel: nf_conntrack: nf_conntrack: table full, dropping packet in syslog.

[totae]

Hello,

I found message " kernel: nf_conntrack: nf_conntrack: table full, dropping packet " in syslog.

and I have increase value nf_contrack but still show the message.

root@node06:~# cat /proc/sys/net/netfilter/nf_conntrack_count
5066477
root@node06:~# cat /proc/sys/net/netfilter/nf_conntrack_max
8192000

Could you please suggest for check the problem.


Best regards,

 

[Vlodek]

Hello,

Look at:

https://pc-freak.net/blog/resolving...cket-flood-message-in-dmesg-linux-kernel-log/


On PROXMOX default value of the variable

nf_conntrack_tcp_timeout_established=432000    # 5 days

You have it set to 8192000, it's too much.

If you increase the parameter nf_conntrack_max value via GUI
value hashzise will be automatically recalculated according to the formula

hashsize=nf_conntrack_max/4

therefore you don't need to change it.

I suggest to set:

nf_conntrack_tcp_timeout_established = 86400     # 1 day
nf_conntrack_generic_timeout = 120               # 2 minutes

Vlodek

 

[totae]

Hello Vlodek,

Updated , I found our VMs have virus and send many traffic to public.

I've drop they VMs, it's work.

Thank you.