Solution for ip_conntrack: table full, dropping packet.


Today, I was working on a brand new  (apache) server, hosting a website with 3000 concurrent visitors. The load on the server was very low while the website was dropping network connections. I ran dmesg and the following message was repeating over and over:

ip_conntrack: table full, dropping packet.

 

It seems that ip_conntrack keeps track of what the state is of the connections and get filled up when you have a large amount of connections.

With the following command you can check the current tracked connections:

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count

 

Probably the result is near to the maximum connections, which we can show with the following command:

# cat /proc/sys/net/ipv4/ip_conntrack_max

 

If you want to adjust this – you should do it to get rid of the ‘dropping packet message‘ – you can do this by running the following command:

# echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max

 

If you want to make this value permanent you have to add the following line into /etc/sysctl.conf:

# net.ipv4.ip_conntrack_max=131072

 

Note: Adjust the value (131072) to your own wish, the higher the number, the more memory will be used.