5.1.3.2.1.15. Conntrack table full

To verify if there is a problem with the conntrack component in ON Core, check if the system is able to establish new connections.

If the conntrack table is full, you should see something like this:

grep kern /var/log/messages

Sep  6 13:40:30 oncore02trunk kernel: nf_conntrack: table full, dropping packet.
Sep  6 13:40:30 oncore02trunk kernel: nf_conntrack: table full, dropping packet.
Sep  6 13:40:30 oncore02trunk kernel: nf_conntrack: table full, dropping packet.
Sep  6 13:40:30 oncore02trunk kernel: nf_conntrack: table full, dropping packet.
Sep  6 13:40:31 oncore02trunk kernel: nf_conntrack: table full, dropping packet.
Sep  6 13:40:31 oncore02trunk kernel: nf_conntrack: table full, dropping packet.
Sep  6 13:40:31 oncore02trunk kernel: nf_conntrack: table full, dropping packet.
Sep  6 13:40:31 oncore02trunk kernel: nf_conntrack: table full, dropping packet.
Sep  6 13:40:32 oncore02trunk kernel: nf_conntrack: table full, dropping packet.

To check the status, the conntrack info displayed is related to the current connections:

cat /proc/sys/net/netfilter/nf_conntrack_count

Where max connections are:

cat /proc/sys/net/nf_conntrack_max

Note

If needed, increase the maximum value.

The variable NF_CONNTRACK_MAX defines how many sessions the system can establish. So by increasing it, the problem would be solved.

NF_CONNTRACK_MAX=262144
grep -q "net.nf_conntrack_max" /etc/sysctl.conf && sed -i "s/^net.nf_conntrack_max[ \t]*=.*/net.nf_conntrack_max = ${NF_CONNTRACK_MAX}/" /etc/sysctl.conf || echo -e "\n# Increase conntrack max value\nnet.nf_conntrack_max = ${NF_CONNTRACK_MAX}" >> /etc/sysctl.conf
sysctl -p