Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about what to do about the loss of packets on the Linux server caused by the full NAT hash table. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can gain something according to this article.

Problem phenomenon

The Linux server lost packets intermittently and could not connect to the instance. Through tracert, mtr and other tools, there is no anomaly in the external network. At the same time, a large number of error messages similar to the following are repeated in the system log.

Feb 6 16:05:07 iMube / table full * kernel: nf_conntrack: table full, dropping packet.Feb 6 16:05:07 imurf / table full * kernel: nf_conntrack: table full, dropping packet.Feb 6 16:05:07 imurf / / kernel: nf_conntrack: table full, dropping packet.Feb 6 16:05:07 imurf / table full * kernel: nf_conntrack: table full, dropping packet. Cause analysis

Ip_conntrack is a module of NAT in Linux system that tracks connection entries. The ip_conntrack module uses a hash table to record the TCP protocol "established connection" record, and when the hash table is full, it will cause a "nf_conntrack: table full, dropping packet" error. The Linux system will open up a space to maintain each TCP link, the size of which is related to the nf_conntrack_buckets and nf_conntrack_max parameters, and the default value of the latter is 4 times that of the former, so it is generally recommended to increase the nf_conntrack_max parameter value.

Note: the system maintenance connection consumes more memory, please increase the nf_conntrack_max parameters when the system is idle and sufficient memory, and depending on the system situation.

Solution method

Log in to the Linux server and execute the following command to edit the system kernel configuration.

Vi / etc/sysctl.conf

Modify the hash table entry maximum parameter net.netfilter.nf_conntrack_max to 655350.

Modify the timeout parameter net.netfilter.nf_conntrack_tcp_timeout_established to 1200, and the timeout is 432000 seconds by default.

Execute the sysctl-p command to make the configuration effective.

After reading the above, do you have any further understanding of what to do about the packet loss of the Linux server caused by the full NAT hash table? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.