[SOLVED] I've error kernel: nf_conntrack: nf_conntrack: table full, dropping packet in syslog.

totae

New Member
May 27, 2023
8
1
3
Hello,

I found message " kernel: nf_conntrack: nf_conntrack: table full, dropping packet " in syslog.

and I have increase value nf_contrack but still show the message.

root@node06:~# cat /proc/sys/net/netfilter/nf_conntrack_count
5066477
root@node06:~# cat /proc/sys/net/netfilter/nf_conntrack_max
8192000
1691463914868.png
Could you please suggest for check the problem.


Best regards,
 
Hello,

Look at:

https://pc-freak.net/blog/resolving...cket-flood-message-in-dmesg-linux-kernel-log/


On PROXMOX default value of the variable

Code:
nf_conntrack_tcp_timeout_established=432000    # 5 days

You have it set to 8192000, it's too much.

If you increase the parameter nf_conntrack_max value via GUI
value hashzise will be automatically recalculated according to the formula
hashsize=nf_conntrack_max/4
therefore you don't need to change it.

I suggest to set:
Code:
nf_conntrack_tcp_timeout_established = 86400     # 1 day
nf_conntrack_generic_timeout = 120               # 2 minutes

Vlodek
 
Hello Vlodek,

Updated , I found our VMs have virus and send many traffic to public.

I've drop they VMs, it's work.

Thank you.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!