# ip_conntrack problem

## Krisx

When ip_conntrack gets full (7k-8k cons) my box almost crashes, everything gets slow and net is basically not workign at all.

Message:

ip_conntrack: table full, dropping packet.

printk: 15 messages suppressed.

Question. How can I flush it (ip_conntrack)  without rebooting?

----------

## andm461c

Hrm, I'm no expert, but how can your conntrack file have 7k-8k cons?

Here's a the stuff from the iptables tutorial though, you might want to check it out: http://iptables-tutorial.frozentux.net/iptables-tutorial.html#THECONNTRACKENTRIES

So, I'm just curious, what happens when you do a 

```
cat /proc/net/ip_conntrack
```

?

----------

## Krisx

It's a box, that shares a connection to a few computers.

```

tcp      6 427570 ESTABLISHED src=192.168.0.69 dst=76.181.93.175 sport=2809 dport=10044 [UNREPLIED] src=76.181.93.175 dst=xx.xx.xx.xxx  sport=10044 dport=2809 use=1

tcp      6 420536 ESTABLISHED src=192.168.0.69 dst=220.233.220.73 sport=2243 dport=58152 [UNREPLIED] src=220.233.220.73 dst=xx.xx.xx.xxx  sport=58152 dport=2243 use=1

tcp      6 419399 ESTABLISHED src=219.74.219.234 dst=xx.xx.xx.xxx  sport=62493 dport=64999 src=192.168.0.69 dst=219.74.219.234 sport=64999 dport=62493 [ASSURED] use=1

tcp      6 420151 ESTABLISHED src=192.168.0.69 dst=60.48.81.90 sport=2390 dport=13612 [UNREPLIED] src=60.48.81.90 dst=xx.xx.xx.xxx  sport=13612 dport=2390 use=1

tcp      6 399781 ESTABLISHED src=192.168.1.5 dst=200.122.47.104 sport=3099 dport=49152 [UNREPLIED] src=200.122.47.104 dst=xx.xx.xx.xxx  sport=49152 dport=3099 use=1

tcp      6 412585 ESTABLISHED src=219.95.134.174 dst=xx.xx.xx.xxx  sport=3670 dport=64999 src=192.168.0.69 dst=219.95.134.174 sport=64999 dport=3670 [ASSURED] use=1

tcp      6 428617 ESTABLISHED src=192.168.0.69 dst=68.223.246.73 sport=4220 dport=7000 src=68.223.246.73 dst=xx.xx.xx.xxx sport=7000 dport=4220 [ASSURED] use=1

tcp      6 63 TIME_WAIT src=61.23.157.229 dst=xx.xx.xx.xxx  sport=4958 dport=64999 src=192.168.0.69 dst=61.23.157.229 sport=64999 dport=4958 [ASSURED] use=1

tcp      6 6 TIME_WAIT src=192.168.1.5 dst=66.183.87.116 sport=2813 dport=58082 src=66.183.87.116 dst=xx.xx.xx.xxx sport=58082 dport=2813 [ASSURED] use=1

tcp      6 415345 ESTABLISHED src=72.252.43.168 dst=xx.xx.xx.xxx  sport=10009 dport=64999 src=192.168.0.69 dst=72.252.43.168 sport=64999 dport=10009 [ASSURED] use=1

udp      17 165 src=218.1.251.44 dst=xx.xx.xx.xxx  sport=25106 dport=63000 src=192.168.1.5 dst=218.1.251.44 sport=63000 dport=25106 [ASSURED] use=1

tcp      6 9 FIN_WAIT src=192.168.0.69 dst=203.165.176.89 sport=3965 dport=23663 src=203.165.176.89 dst=xx.xx.xx.xxx sport=23663 dport=3965 [ASSURED] use=1

etc....

```

xx.xx.xx.xxx - my ip

----------

## andm461c

Ok.. What happens when you do a

```
cat /proc/sys/net/ipv4/ip_conntrack_max
```

?

Oh, and by the way, do you mean you're on the same network as a bunch of other computers, or that the computer you are having trouble with is a firewall?

----------

## Krisx

cat /proc/sys/net/ipv4/ip_conntrack_max:

8192

The computer I am having trouble with is on a role of a firewall/router.

----------

## bunder

 *Krisx wrote:*   

> cat /proc/sys/net/ipv4/ip_conntrack_max:
> 
> 8192
> 
> The computer I am having trouble with is on a role of a firewall/router.

 

you need to increase that number then...

try: echo 15000 > /proc/sys/net/ipv4/ip_conntrack_max

that should keep things at bay, unless you max it out again.   :Wink: 

edit: there was a limit on how big you could set this, i believe it was ram based.

----------

## Krisx

Yes it is ram based, and right now the number is maximum that my ran can handle.

There must be a way to flush it.

----------

## andm461c

As far as I know, the only way to flush the conntrack is to do a ifconfig down+up. These posts (somewhat old) confirms that. But you might find something interesting in them anyhow.

http://lists.debian.org/debian-user/2003/02/msg00728.html

http://lists.netfilter.org/pipermail/netfilter-devel/2002-October/009530.html

Also, here's the netfilter.org website.

http://www.netfilter.org/

That's all I know about this matter.

Good luck!

----------

## Janne Pikkarainen

Did you already take a look at /proc/sys/net/ipv4/netfilter/? There are lots of ip_conntrack related entries there, most interesting probably for you are all the timeout and wait parameters. 

Of course you might want to check what is actually causing that many connections. That kind of amount is not normal unless you have a really busy server.

----------

## Krisx

Still have the problem.

ifconfig down/up doesn't work.

----------

