Fli
12-04-2015, 02:02 AM
How to solve issue where /proc/net/nf_conntrack contains too much entries?
Show current conntrack entries count and the conntrack limit(max):
sysctl net.netfilter.nf_conntrack_count && sysctl net.nf_conntrack_max
Show head and tail of the conntrack:
head /proc/net/nf_conntrack && tail /proc/net/nf_conntrack
If you see too many (ESTABLISHED, ASSURED) entries, it can mean you have too high timeout on established connections.
check limits:
sysctl -a | grep conn | grep time
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowled ged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
make sure *timeout_established is lower than 432000 seconds (which is 5 days), i set it to 600 seconds (10 minutes), it might be extremelly low:
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established =600
To prevent connection issues (because of full conntrack table/max limit reached), one may temporarilly increase conntrack limit:
echo 66666 > /proc/sys/net/netfilter/nf_conntrack_max
To reduce conntrack size, i did:
yum install conntrack-tools # install conntrack tools
conntrack -D -d MYSERVERIP # delete conntrack entries where destination ip is my server ip
Show current conntrack entries count and the conntrack limit(max):
sysctl net.netfilter.nf_conntrack_count && sysctl net.nf_conntrack_max
Show head and tail of the conntrack:
head /proc/net/nf_conntrack && tail /proc/net/nf_conntrack
If you see too many (ESTABLISHED, ASSURED) entries, it can mean you have too high timeout on established connections.
check limits:
sysctl -a | grep conn | grep time
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowled ged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
make sure *timeout_established is lower than 432000 seconds (which is 5 days), i set it to 600 seconds (10 minutes), it might be extremelly low:
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established =600
To prevent connection issues (because of full conntrack table/max limit reached), one may temporarilly increase conntrack limit:
echo 66666 > /proc/sys/net/netfilter/nf_conntrack_max
To reduce conntrack size, i did:
yum install conntrack-tools # install conntrack tools
conntrack -D -d MYSERVERIP # delete conntrack entries where destination ip is my server ip