How to fix the error “nf_conntrack: table full, dropping package”

I noticed once in Ubuntu Server 14.04 LTS configured as a router, in the file /var/log/kern.log the following error:

Aug 14 17:32:51 router kernel: [1933791.144013] nf_conntrack: table full, dropping packet

Let’s see the current maximum value of records of the number of connection statuses:

cat /proc/sys/net/netfilter/nf_conntrack_max
sysctl -a | grep conntrack_max

Let’s see how much is used:

cat /proc/sys/net/netfilter/nf_conntrack_count

Let’s increase the nf_conntrack_max command, and also hashsize (hashsize=nf_conntrack_max/8):

echo "4194304" > /proc/sys/net/netfilter/nf_conntrack_max
echo "524288" > /sys/module/nf_conntrack/parameters/hashsize

To prevent the value from being reset after the system is restarted, you can add the above command to the file:

sudo nano /etc/rc.local

Or open the kernel configuration file:

sudo nano /etc/sysctl.conf

Add or change the line:

net.netfilter.nf_conntrack_max = 4194304

And apply the settings:

sysctl -p

See also my articles:
Tuning nf_conntrack
Monitoring nf_conntrack in Zabbix

Leave a comment

Leave a Reply