Linux: Neighbour Table Overflow Error and Solution

I setup a CentOS Linux based Linux server running as a gateway and firewall server. However, I’m getting the following messages in the /var/log/messages log file:

Dec 20 00:41:01 fw01 kernel: Neighbour table overflow.
Dec 20 00:41:01 fw01 last message repeated 20 times

Dec 20 00:41:01 fw03 kernel: [ 8987.821184] Neighbour table overflow.
Dec 20 00:41:01 fw03 kernel: [ 8987.860465] printk: 100 messages suppressed.

Why does kernel throw “Neighbour table overflow” messages in syslog? How do I fix this problem under Debian / CentOS / RHEL / Fedora / Ubuntu Linux?

For busy networks (or gateway / firewall Linux server) it is mandatory to increase the kernel’s internal ARP cache size. The following kernel variables are used:

net.ipv4.neigh.default.gc_thresh1
net.ipv4.neigh.default.gc_thresh2
net.ipv4.neigh.default.gc_thresh3

To see current values, type:
# sysctl net.ipv4.neigh.default.gc_thresh1
Sample outputs:

net.ipv4.neigh.default.gc_thresh1 = 128

Type the following command:
# sysctl net.ipv4.neigh.default.gc_thresh2
Sample outputs:

net.ipv4.neigh.default.gc_thresh2 = 512

Type the following command:
# sysctl net.ipv4.neigh.default.gc_thresh3
Sample outputs:

net.ipv4.neigh.default.gc_thresh3 = 1024

So you need to make sure that the arp table to become bigger than the above defaults. The above limitations are good for small network or a single server. This will also affect your DNS traffic.

How Do I Fix “Neighbour Table Overflow” Error?

Edit /etc/sysctl.conf file, enter:
# vi /etc/sysctl.conf
Append the following values (this is taken from server that protects over 200 desktops running MS-Windows, Linux, and Apple OS X):

 ## works best with <= 500 client computers ##
# Force gc to clean-up quickly
net.ipv4.neigh.default.gc_interval = 3600
 
# Set ARP cache entry timeout
net.ipv4.neigh.default.gc_stale_time = 3600
 
# Setup DNS threshold for arp 
net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024

To load new changes type the following command:
# sysctl -p

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

4 comment

That’s great, but WHY? What are the three different levels of thresholds, when does each one become relevant? Are there any adverse affects to increasing these? Why wouldn’t I want to set these extremely high? Why are they set to what they are in the first place?

vinod says:
July 5, 2015 at 9:07 am
I just found this while googling hope it helps.
These 3 parameters are defined in the Linux Kernel Code in the header file “/include/net/neighbour.h” as integer, which suggests that maximal accepted value is (232 – 1).
Gaia Portal accepts maximal value of 16384.
gc_thresh1
The minimum number of entries to keep in the ARP cache.
The garbage collector will not run if there are fewer than this number of entries in the cache.
gc_thresh2
The soft maximum number of entries to keep in the ARP cache.
The garbage collector will allow the number of entries to exceed this for 5 seconds before collection will be performed.
gc_thresh3
The hard maximum number of entries to keep in the ARP cache.
The garbage collector will always run if there are more than this number of entries in the cache.
In order for the garbage collector to work properly, and not to overload the machine with garbage collections, when changing the ‘gc_thresh3’ parameter, user should (note: does not have to) change the ‘gc_thresh2’ and ‘gc_thresh1’ parameters accordingly.

Thanks a TON! Quick fix to an issue I was having on Debian 7.

Good it works

J says:
November 13, 2012 at 1:40 pm
That’s great, but WHY? What are the three different levels of thresholds, when does each one become relevant? Are there any adverse affects to increasing these? Why wouldn’t I want to set these extremely high? Why are they set to what they are in the first place?
1. vinod says:
  July 5, 2015 at 9:07 am
  I just found this while googling hope it helps.
  These 3 parameters are defined in the Linux Kernel Code in the header file “/include/net/neighbour.h” as integer, which suggests that maximal accepted value is (232 – 1).
  Gaia Portal accepts maximal value of 16384.
  gc_thresh1
  The minimum number of entries to keep in the ARP cache.
  The garbage collector will not run if there are fewer than this number of entries in the cache.
  gc_thresh2
  The soft maximum number of entries to keep in the ARP cache.
  The garbage collector will allow the number of entries to exceed this for 5 seconds before collection will be performed.
  gc_thresh3
  The hard maximum number of entries to keep in the ARP cache.
  The garbage collector will always run if there are more than this number of entries in the cache.
  In order for the garbage collector to work properly, and not to overload the machine with garbage collections, when changing the ‘gc_thresh3’ parameter, user should (note: does not have to) change the ‘gc_thresh2’ and ‘gc_thresh1’ parameters accordingly.
Jon says:
January 6, 2014 at 7:10 pm
Thanks a TON! Quick fix to an issue I was having on Debian 7.
tanzeem says:
January 21, 2015 at 6:33 pm
Good it works

Have a question? Post it on our forum!