First, find out the value of ip_conntrack_max using the command.
cat /proc/sys/net/ipv4/ip_conntrack_max
By default, the value is 34576.
Sometimes you can see the error "ip_conntrack Table full. Dropping packet" in the log file (/var/log/messages).
This error can be eliminated by increasing the value of this parameter.
Method # 1:
i) Execute the following line in the command prompt
echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max
ii) Execute the command sysctl -p to flush the values
Note: This value will be restored once the server rebooted.
Method # 2:
i) Add the following line in '/etc/sysctl.conf' file
net.ipv4.netfilter.ip_conntrack_max = "65536"
ii) Execute the command sysctl -p to flush the values
Note: When we modify the value using this method, the value won't be restored even though we reboot the server.
Issue:
Sometimes we reset the value of ip_conntrack_max to 65536. But, it will restore to 34576 once we restart APF in the server.
Steps to fix this issue:
1. Open APF configuration file - /etc/apf/conf.apf
2. Find the line "SYSCTL_CONNTRACK"
3. The value sholuld be "34576". Change it to "65536".
4. Now refresh the firewall using the command "apf -r"
5. Check the value "cat /proc/sys/net/ipv4/ip_conntrack_max"
Error Cause:
Iptables under Linux maintains a list of connections passing through the router. Each connection tracking entry contains defined characteristics of the packet, including the source and destination IP address and port number. The connection tracking entries are ultimately stored in a hash table with a fixed size. If the router reaches the maximum number of connection tracking entries, it will log an error:
"ip_conntrack: table full, dropping packet"
The maximum size of the connection tracking table can be increased. The maximum size value is stored in the router's proc filesystem in the file /proc/sys/net/ipv4/ip_conntrack_max. Increasing the maximum size of the connection tracking table to a value larger than the total number of connections will eliminate the error message and prevent the router from dropping connections due to a lack of space in the connection tracking table.
