nat table full but nf_conntrack_max is being reset by ...?

A

Adrian Holte

New Member
Jun 8, 2016
4
0
1
42
Hi all,

following problem:

the conntrack table on the proxmox v4 instances is getting full, with all the typical sympthoms like

"
[ 3414.977914] nf_conntrack: table full, dropping packet
[ 3414.977952] nf_conntrack: table full, dropping packet
[ 3414.977989] nf_conntrack: table full, dropping packet
[ 3414.978026] nf_conntrack: table full, dropping packet
[ 3414.978063] nf_conntrack: table full, dropping packet
[ 3420.196220] net_ratelimit: 271 callbacks suppressed
[ 3420.196256] nf_conntrack: table full, dropping packet
[ 3420.196296] nf_conntrack: table full, dropping packet
[ 3420.196349] nf_conntrack: table full, dropping packet
[ 3420.196388] nf_conntrack: table full, dropping packet
[ 3420.197424] nf_conntrack: table full, dropping packet
[ 3420.197466] nf_conntrack: table full, dropping packet
[ 3420.198579] nf_conntrack: table full, dropping packet
[ 3420.198642] nf_conntrack: table full, dropping packet
[ 3420.198683] nf_conntrack: table full, dropping packet
[ 3420.199286] nf_conntrack: table full, dropping packet
"

messages, connectivity problems etc.

I know what is to do in such cases, 've done many times before.
But.

Here, on the proxmox-server, when i do set the nf_conntrack_max values using

sysctl -w net.netfilter.nf_conntrack_max=300000

the value is BEING RESET several seconds later back to the default of 65536.

Question is - by which of the Proxmox services is it done???
PVE-Firewall, would be my assumption.

Then, how can it be "persisted"??

Thanks a lot!

Greetings
 
If you use the PVE firewall then it's controlled by that, too.
Check: Datacenter => $YourNode => Firewall => Options => nf_conntrack_max
 
well, if i turn off the "pve-firewall" and change the value, then it remains untouched.

so it's definitely the "pve-firewall"s "fault".

will try to find out how to circumvent or to configure it..
 
You must log in or register to reply here.
Top Bottom