nf_conntrack: table full, dropping packet

On a CentOS server, i get following error in /var/log/messages

Jan 17 03:40:02 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet
Jan 17 03:40:03 ss1 kernel: nf_conntrack: table full, dropping packet

This is because the server is getting too much connections. This can be due to a busy server or DDoS attack.

if you traffic is legit, you can increase maximum connection tracking.

To see current value, run

cat /proc/sys/net/netfilter/nf_conntrack_max

To set value, run

echo 64000 > /proc/sys/net/netfilter/nf_conntrack_max

Change 64000 with your desired value.

You can also use sysctl, for example

sysctl -a | grep nf_conntrack_max

To set value, run

sysctl -w net.netfilter.nf_conntrack_max=120000

To make it permanent, edit 

vi /etc/sysctl.conf

Add 

net.netfilter.nf_conntrack_max=120000

Now run

sysctl -p

See sysctl

Need help with Linux Server or WordPress? We can help!
Contact Us

Leave a Reply

Your email address will not be published. Required fields are marked *