ip_conntrack: table full, dropping packet
At one point, there was high call volume into our support center of customers complaining about severe lag. One common denominator was that the customer base who called in happened to all reside on the same server, so investigation into the matter focused on that one particular system.
The server’s load average was really low, and had plenty of free RAM, though connectivity to customers hosted websites were lagging. After running dmesg, I noticed “ip_conntrack: table full, dropping packet”. After observing netstat -an for a bit, it was clear the server was being used to send SPAM. After blocking the connections and securing the customer SMTP passwords, the counts came down and the lag ceased.
The following command can be used to see what the max setting is for this kernel parameter:
To see how many you are using at present:
wc -l /proc/net/ip_conntrack
The setting can be adjusted, and if to be made permanent, make the change in /etc/sysctl.conf. In this example, the max setting is increased to 65535.
echo “net.ipv4.ip_conntrack_max = 65535” > /etc/sysctl.conf
To increase it temporarily (non-persistent across reboots)
echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max