Linux: Neighbour Table Overflow Error and Solution

last updated in Categories , ,

I setup a CentOS Linux based Linux server running as a gateway and firewall server. However, I’m getting the following messages in the /var/log/messages log file:

Dec 20 00:41:01 fw01 kernel: Neighbour table overflow.
Dec 20 00:41:01 fw01 last message repeated 20 times

OR


Dec 20 00:41:01 fw03 kernel: [ 8987.821184] Neighbour table overflow.
Dec 20 00:41:01 fw03 kernel: [ 8987.860465] printk: 100 messages suppressed.

Why does kernel throw “Neighbour table overflow” messages in syslog? How do I fix this problem under Debian / CentOS / RHEL / Fedora / Ubuntu Linux?

For busy networks (or gateway / firewall Linux server) it is mandatory to increase the kernel’s internal ARP cache size. The following kernel variables are used:

net.ipv4.neigh.default.gc_thresh1
net.ipv4.neigh.default.gc_thresh2
net.ipv4.neigh.default.gc_thresh3

To see current values, type:
# sysctl net.ipv4.neigh.default.gc_thresh1
Sample outputs:

net.ipv4.neigh.default.gc_thresh1 = 128

Type the following command:
# sysctl net.ipv4.neigh.default.gc_thresh2
Sample outputs:

net.ipv4.neigh.default.gc_thresh2 = 512

Type the following command:
# sysctl net.ipv4.neigh.default.gc_thresh3
Sample outputs:

net.ipv4.neigh.default.gc_thresh3 = 1024

So you need to make sure that the arp table to become bigger than the above defaults. The above limitations are good for small network or a single server. This will also affect your DNS traffic.

How Do I Fix “Neighbour Table Overflow” Error?

Edit /etc/sysctl.conf file, enter:
# vi /etc/sysctl.conf
Append the following values (this is taken from server that protects over 200 desktops running MS-Windows, Linux, and Apple OS X):

 ## works best with <= 500 client computers ##
# Force gc to clean-up quickly
net.ipv4.neigh.default.gc_interval = 3600
 
# Set ARP cache entry timeout
net.ipv4.neigh.default.gc_stale_time = 3600
 
# Setup DNS threshold for arp 
net.ipv4.neigh.default.gc_thresh3 = 4096
net.ipv4.neigh.default.gc_thresh2 = 2048
net.ipv4.neigh.default.gc_thresh1 = 1024

To load new changes type the following command:
# sysctl -p

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Share this on (or read 4 comments/add one below):

4 comment

  1. That’s great, but WHY? What are the three different levels of thresholds, when does each one become relevant? Are there any adverse affects to increasing these? Why wouldn’t I want to set these extremely high? Why are they set to what they are in the first place?

    1. I just found this while googling hope it helps.

      These 3 parameters are defined in the Linux Kernel Code in the header file “/include/net/neighbour.h” as integer, which suggests that maximal accepted value is (232 – 1).

      Gaia Portal accepts maximal value of 16384.

      gc_thresh1
      The minimum number of entries to keep in the ARP cache.
      The garbage collector will not run if there are fewer than this number of entries in the cache.

      gc_thresh2
      The soft maximum number of entries to keep in the ARP cache.
      The garbage collector will allow the number of entries to exceed this for 5 seconds before collection will be performed.

      gc_thresh3

      The hard maximum number of entries to keep in the ARP cache.
      The garbage collector will always run if there are more than this number of entries in the cache.
      In order for the garbage collector to work properly, and not to overload the machine with garbage collections, when changing the ‘gc_thresh3’ parameter, user should (note: does not have to) change the ‘gc_thresh2’ and ‘gc_thresh1’ parameters accordingly.

    Have a question? Post it on our forum!

Tagged as: Tags , , , , , , , , , , , , , , , , , , , , , ,