LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-02-2004, 01:44 PM   #1
ingerul
Member
 
Registered: Oct 2004
Location: Romania
Distribution: gentoo
Posts: 34

Rep: Reputation: 15
Question ip_conntrack: table full, dropping packet.


I've recently installed fedora core 2 on my router and I'm getting this error:
Code:
Nov 30 17:55:32 kenjiru kernel: printk: 109421 messages suppressed.
Nov 30 17:55:32 kenjiru kernel: ip_conntrack: table full, dropping packet.
After I get this message the internet connections starts getting slow. Any idea what this message really means and what implies?

I'm getting th above with both systems:
system 1:
p1 200Mhz 128M RAM

system 2:
AMD 2400+ 256M DDR
 
Old 12-02-2004, 02:06 PM   #2
imezsons
LQ Newbie
 
Registered: Sep 2004
Location: india
Posts: 14

Rep: Reputation: 0
hi

try changing the duplex speed to full of half using MII_TOOLS. it may solve the issue.

regards
lenin
 
Old 12-02-2004, 02:46 PM   #3
ingerul
Member
 
Registered: Oct 2004
Location: Romania
Distribution: gentoo
Posts: 34

Original Poster
Rep: Reputation: 15
MII_TOOLS, what is that, and where do I get it? (I've tried google, no result)
 
Old 12-02-2004, 04:12 PM   #4
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
As the message states, the kernel's connection tracking table is full. This message could be a sign of an improperly configured firewall, especially if this is a home network with just a few PC's -and- you state both firewall systems have 128MB + of RAM. If this is a business network with hundreds of PC's, then it could just indicate that you need to increase the maximum size of the connection tracking table. It could also indicate that you have a PC that is generating alot of traffic (gaming, virus infected).

Whatever the reason, I would turn on tcpdump at the firewall and find the "root" cause of why your conn track table is filling up. Increasing the maximum conn track limit "might" just be a bandaid solution to a bigger problem and further decrease the performance of your firewall. The initial maximum value of the conn track table is based on the amount of ram on your system. Your system with 256MB of RAM should be setting a rather large maximum limit. Anyway, its worth investigating.

The following link is rather technical, but explains how to change the ip_conntrack maximum values (including the hash size). See the section labled: Setting CONNTRACK_MAX

http://www.wallfire.org/misc/netfilt...track_perf.txt

Good Luck!
 
Old 12-02-2004, 11:58 PM   #5
mritch
Member
 
Registered: Nov 2003
Location: austria
Distribution: debian
Posts: 667

Rep: Reputation: 30
you'll only get this error if your network is on really *high* load (to much connections to watch) or, like scowles allready mentioned, something is wrong with your firewall/iptables implemetion.

i think i've seen a tread about it solved before, i'll post it if i remember where.

sl mritch.
 
Old 12-03-2004, 10:11 AM   #6
ingerul
Member
 
Registered: Oct 2004
Location: Romania
Distribution: gentoo
Posts: 34

Original Poster
Rep: Reputation: 15
Quote:
If this is a business network with hundreds of PC's, then it could just indicate that you need to increase the maximum size of the connection tracking table
I use the router in a small network - 30 computers.

Quote:
It could also indicate that you have a PC that is generating a lot of traffic (gaming, virus infected).
There are more than 10 computers infected with a virus I don't know that's generating a lot of traffic. When I look with iptraf at the internel network interface in 3-5 minutes I see more then 30.000 connections. Does this SYN flood affects conntrack?

Quote:
or, like scowles allready mentioned, something is wrong with your firewall/iptables implemetion.
How could my firewall cause something like this?
 
Old 12-03-2004, 11:33 AM   #7
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
There are more than 10 computers infected with a virus I don't know that's generating a lot of traffic. When I look with iptraf at the internel network interface in 3-5 minutes I see more then 30.000 connections. Does this SYN flood affects conntrack?

A SYN packet is the start of a TCP based connection request (three-step hand shake between the two systems). So 30,000 connections from a measly 30 computers is awful lot of connections. If the source of these SYN packets are coming from your local network (30 computers), then I think you have found the "source" of your problem. Increasing the conn track max on your firewall with 128MB seems pointless. 30 computers is not a high load.

I would start by finding the 10 virus infected systems you mentioned and turn them off or unplug them from the network. If iptraf then shows a reduction in connection requests after you have turned off all these computers, then its a safe bet that these systems are generating the conn track problem. Your next step is obvious. Find out if the virus is respnsible for generating these SYN packets. If so, then remove the virus from all these systems.

Good Luck - I would not want to be in your shoes right now. Oh wait! I have been in your shoes before.
 
Old 12-03-2004, 01:12 PM   #8
ingerul
Member
 
Registered: Oct 2004
Location: Romania
Distribution: gentoo
Posts: 34

Original Poster
Rep: Reputation: 15
I would start by finding the 10 virus infected systems you mentioned and turn them off or unplug them from the network.

This is pointless, all computers have windows XP SP1 or SP2, all have additional anti-virus programs installed, but this doesn't stop them from getting infected.
 
Old 12-03-2004, 01:23 PM   #9
mritch
Member
 
Registered: Nov 2003
Location: austria
Distribution: debian
Posts: 667

Rep: Reputation: 30
hi

what ports are they connecting to? drop those packets. only allow services they need (proxy/http/whatever).

desinfect them. your the amin? this box is the gateway?
don't allow unscanned mail. use a proxy.....

sl mritch.
 
Old 12-03-2004, 01:46 PM   #10
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
Quote:
Originally posted by ingerul
I would start by finding the 10 virus infected systems you mentioned and turn them off or unplug them from the network.

This is pointless, all computers have windows XP SP1 or SP2, all have additional anti-virus programs installed, but this doesn't stop them from getting infected.
Pointless? Hopefully you have misunderstood the point I was trying to make in my reply. Based on my interpretation of your replies to this thread, your goal at this point should be to try to verify and eliminate the source of these SYN packets. Starting with removing the virus infected systems (which you confirm in your reply) from your network is always a good starting point.

Also, consider posting a couple of tcpdump packet examples of the 30,000 you mentioned. I'm sure one of us on this forum can help you identify the source of this problem.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
svc bad request dropping packet naveenrajn Linux - Networking 0 07-04-2005 04:22 AM
ip_conntrack table full Skunk_Face Linux - Security 1 11-01-2004 05:14 PM
ip_conntrack table full despite relatively few connections tvynr Linux - Networking 3 10-04-2004 05:03 PM
eth0: Memory squeeze, dropping packet maenho Linux - Networking 6 08-22-2004 05:28 AM
Intentional packet dropping - how can I do this? sokar Linux - Networking 1 04-12-2004 12:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration