# Neighbour table overflow? TCP uncloaked?

## mipsgi

Could anybody tell me how can i solve such issue?

----------

## fbleagh

Could you please be a little more specific ?

what service has thrown up this error.

a dump of the relevant section of the error.

give us more info and we will see what we can do  :Smile: 

----------

## mipsgi

I'll describe the detail as much as I can:)

It's a dell PE2600 running proftpd(150user*100k), mysql, apache and vbb forum.

dmesg:

=====================

Neighbour table overflow.

NET: 227 messages suppressed.

Neighbour table overflow.

NET: 228 messages suppressed.

Neighbour table overflow.

NET: 299 messages suppressed.

Neighbour table overflow.

NET: 263 messages suppressed.

...

=====================

Earlier there even some messages like:

=============================================

"Feb 23 11:58:42 [kernel] TCP: Treason uncloaked! Peer 10.13.85.200:38300/46335 shrinks window 3318685864:3318690000. Repaired."

=============================================

Something like that(the port may be 21), like a DoS attack of proftpd.

I supposed the problem is too many connections of proftpd...

After I made some ftp ip-auto-block script it appears much fewer now. 

Then the "Neighbour table overflow" message puzzled me...I googled and knew that 's overflow of the arp table, and I do set local loopback correctly(Gentoo users don't have to concern that  :Razz:  )

Proftpd is running at stand-alone mode now, and I'm going to make it working under xinetd's control...

----------

## kashani

 *mipsgi wrote:*   

> 
> 
> Then the "Neighbour table overflow" message puzzled me...I googled and knew that 's overflow of the arp table, and I do set local loopback correctly(Gentoo users don't have to concern that  )
> 
> Proftpd is running at stand-alone mode now, and I'm going to make it working under xinetd's control...

 

Thought this looked familar. Ran into the same thing recently on a Redhat box using NFS. Double check you /etc/hosts file since that's what fixed it for use. If you have a static IP I'd suggest something like the following in your /etc/hosts file.

127.0.0.1    localhost

10.10.1.60  azul.lax.badapple.net             azul

Also make your /etc/hostname file match whatever you put into /etc/hosts.

The server seemed to get confused as to what its name was at least in our case and did some very strange things. If you make changes to your run /etc/init.d/hostname restart to update your system.

kashani

----------

## mipsgi

these are my previous settings...

/etc/hostname:

==============

Gentoo

==============

/etc/hosts:

=============

# /etc/hosts:  This file describes a number of hostname-to-address

#              mappings for the TCP/IP subsystem.  It is mostly

#              used at boot time, when no name servers are running.

#              On small systems, this file can be used instead of a

#              "named" name server.  Just add the names, addresses

#              and any aliases to this file...

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/hosts,v 1.7 2002/11/18 19:39:22 azarah Exp $

#

127.0.0.1       localhost

10.8.8.8        a.b.c.d               Gentoo

===============

and a.b.c.d is its DNS name

I dont know what's problem:( ...

ps. The box is shipping with 2 intel e100 dual-port NICs & 1 e1000 NIC, I bond the 4 e100 interfaces together use intel's iANS driver, and made it to be a virtual adapter "vadapt" while the same time e1000 as "eth0"

ifconfig:

=====================

eth0      Link encap:Ethernet  HWaddr 00:06:5B:F1:F7:09

          inet addr:10.8.8.9  Bcast:10.8.255.255  Mask:255.255.0.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:10427 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1377512 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:669238 (653.5 Kb)  TX bytes:568364921 (542.0 Mb)

          Interrupt:28 Base address:0xdce0 Memory:fe2e0000-fe300000

eth1      Link encap:Ethernet  HWaddr 00:02:B3:C1:27:32

          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1

          RX packets:1032827 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1283097 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:574668324 (548.0 Mb)  TX bytes:1752782522 (1671.5 Mb)

          Interrupt:24 Base address:0xece0 Memory:f90ff000-f90ff038

eth2      Link encap:Ethernet  HWaddr 00:02:B3:C1:27:32

          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1

          RX packets:1050622 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1287541 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:583196143 (556.1 Mb)  TX bytes:1726441015 (1646.4 Mb)

          Interrupt:25 Base address:0xecc0 Memory:f90fe000-f90fe038

eth3      Link encap:Ethernet  HWaddr 00:02:B3:C1:27:32

          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1

          RX packets:1024422 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1275821 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:573363642 (546.8 Mb)  TX bytes:1730952905 (1650.7 Mb)

          Interrupt:56 Base address:0xbce0 Memory:effff000-effff038

eth4      Link encap:Ethernet  HWaddr 00:02:B3:C1:27:32

          UP BROADCAST RUNNING SLAVE MULTICAST  MTU:1500  Metric:1

          RX packets:1070431 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1307680 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:602310854 (574.4 Mb)  TX bytes:1743369576 (1662.6 Mb)

          Interrupt:57 Base address:0xbcc0 Memory:efffe000-efffe038

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:1811367 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1811367 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:1166890814 (1112.8 Mb)  TX bytes:1166890814 (1112.8 Mb)

vadapt    Link encap:Ethernet  HWaddr 00:02:B3:C1:27:32

          inet addr:10.8.8.8  Bcast:10.8.255.255  Mask:255.255.0.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:4178302 errors:0 dropped:0 overruns:0 frame:0

          TX packets:5154139 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:2333538963 (2225.4 Mb)  TX bytes:2658578722 (2535.4 Mb)

========================

any suggestions will be appreciated...

----------

## kashani

Let's try this

/etc/hostname

server.domain.com

/etc/hosts

127.0.0.1           localhost

10.8.8.8             server.domain.com         server

10.8.8.9             test.domain.com             test

It's always a good idea to put all interfaces in your host file. Linux tends to not care as much, but Solaris will kick you ass if it doesn't like how you've done it. 

kshani

----------

## mipsgi

I suppose it's my fault that I forgot adding 10.8.8.9 to /etc/hosts

Thank You  :Smile: 

----------

## mipsgi

The annoying messages hit me again yesterday

It seemed to be solved by echo 1>/proc/sys/net/ipv4/conf/all/arp_filter

(or you can append "net.ipv4.conf.all.arp_filter=1" to /etc/sysctl.conf and then sysctl -p...same work, if you have sysctl compiled in kernel  :Smile: )

----------

## mipsgi

damn it...still have the problem -________-

----------

## mipsgi

I caught this by "arp -an", do this make sense?

? (10.8.48.59) at <incomplete> on vadapt

? (10.8.38.100) at <incomplete> on vadapt

? (10.8.180.64) at <incomplete> on vadapt

? (10.8.248.159) at <incomplete> on vadapt

? (10.8.143.161) at <incomplete> on vadapt

? (10.8.0.1) at 00:05:74:90:1B:FC [ether] on eth0

? (10.8.108.154) at <incomplete> on vadapt

? (10.8.201.229) at <incomplete> on vadapt

? (10.8.166.224) at <incomplete> on vadapt

? (10.8.2.6 :Cool:  at <incomplete> on vadapt

? (10.8.109.42) at <incomplete> on vadapt

? (10.8.80.162) at <incomplete> on vadapt

? (10.8.82.50) at <incomplete> on vadapt

? (10.8.62.51) at <incomplete> on vadapt

? (10.8.90.196) at <incomplete> on vadapt

? (10.8.160.93) at <incomplete> on vadapt

? (10.8.62.174) at <incomplete> on vadapt

? (10.8.8.10) at 00:06:5B:F2:AD:DD [ether] on vadapt

? (10.8.206.205) at <incomplete> on vadapt

? (10.8.237.202) at <incomplete> on vadapt

? (10.8.27.81) at <incomplete> on vadapt

? (10.8.212.240) at <incomplete> on vadapt

? (10.8.96.41) at <incomplete> on vadapt

? (10.8.42.156) at <incomplete> on vadapt

? (10.8.38.3) at <incomplete> on vadapt

? (10.8.5.74) at <incomplete> on vadapt

? (10.8.128.49) at <incomplete> on vadapt

? (10.8.131.120) at <incomplete> on vadapt

? (10.8.71.245) at <incomplete> on vadapt

? (10.8.163.124) at <incomplete> on vadapt

? (10.8.168.118) at <incomplete> on vadapt

? (10.8.25.170) at <incomplete> on vadapt

? (10.8.167.101) at <incomplete> on vadapt

? (10.8.42.160) at <incomplete> on vadapt

? (10.8.164.46) at <incomplete> on vadapt

? (10.8.250.171) at <incomplete> on vadapt

? (10.8.87.79) at <incomplete> on vadapt

? (10.8.121.215) at <incomplete> on vadapt

? (10.8.74.27) at <incomplete> on vadapt

? (10.8.100.131) at <incomplete> on vadapt

? (10.8.142.106) at <incomplete> on vadapt

? (10.8.20.240) at <incomplete> on vadapt

? (10.8.14.92) at <incomplete> on vadapt

? (10.8.173.72) at <incomplete> on vadapt

? (10.8.171.109) at <incomplete> on vadapt

? (10.8.79.192) at <incomplete> on vadapt

? (10.8.187.238) at <incomplete> on vadapt

? (10.8.169.74) at <incomplete> on vadapt

? (10.8.33.230) at <incomplete> on vadapt

? (10.8.113.219) at <incomplete> on vadapt

? (10.8.6.80) at <incomplete> on vadapt

? (10.8.6.25) at <incomplete> on vadapt

? (10.8.59.36) at <incomplete> on vadapt

? (10.8.74.236) at <incomplete> on vadapt

? (10.8.52.36) at <incomplete> on vadapt

? (10.8.159.171) at <incomplete> on vadapt

? (10.8.134.33) at <incomplete> on vadapt

? (10.8.214.196) at <incomplete> on vadapt

? (10.8.215.140) at <incomplete> on vadapt

? (10.8.231.245) at <incomplete> on vadapt

? (10.8.16.110) at <incomplete> on vadapt

? (10.8.4.23) at <incomplete> on vadapt

? (10.8.177.90) at <incomplete> on vadapt

? (10.8.117.97) at <incomplete> on vadapt

? (10.8.49.219) at <incomplete> on vadapt

? (10.8.168.244) at <incomplete> on vadapt

? (10.8.231.99) at <incomplete> on vadapt

? (10.8.13.228) at <incomplete> on vadapt

? (10.8.70.61) at <incomplete> on vadapt

? (10.8.75.121) at <incomplete> on vadapt

? (10.8.235.180) at <incomplete> on vadapt

? (10.8.208.227) at <incomplete> on vadapt

? (10.8.154.141) at <incomplete> on vadapt

? (10.8.144.206) at <incomplete> on vadapt

? (10.8.8.100) at * PERM PUP on eth0

----------

## mipsgi

Finally solve the problem: 

turn ip forward off, so your gentoo box won't act like a router

sysctl -w net.ipv4.ip_forward=0

----------

## diablobsb

 *mipsgi wrote:*   

> Finally solve the problem: 
> 
> turn ip forward off, so your gentoo box won't act like a router
> 
> sysctl -w net.ipv4.ip_forward=0

 

This is not really a solution!

what if you need your box to act like a router?

----------

## mipsgi

write these lines below to /etc/sysctl.conf:

net.ipv4.neigh.default.gc_thresh1 = 1024

net.ipv4.neigh.default.gc_thresh2 = 2048

net.ipv4.neigh.default.gc_thresh3 = 8192

enlarge the values if not enough  :Very Happy: 

----------

## rootlinux

I did face the same problem in my firewall...did your value below helps?

net.ipv4.neigh.default.gc_thresh1 = 1024

net.ipv4.neigh.default.gc_thresh2 = 2048

net.ipv4.neigh.default.gc_thresh3 = 8192 

or this

net.ipv4.neigh.default.gc_thresh1 = 8192

net.ipv4.neigh.default.gc_thresh2 = 8192

net.ipv4.neigh.default.gc_thresh3 = 8192 

Which is the best to solve this problem?

----------

## mipsgi

If the first one is enough, I prefer that  :Smile: 

----------

## N-S

What do I need to do to "activate" this change?

----------

## humpback

N-S: You can put this settings in /etc/sysctl.conf . After that either reboot or use the sysctl program to reload these settings.

----------

## N-S

I did this a long time ago and it works fine now.

----------

