My Red hat Enterprise Linux 5 server reporting the following message in /var/log/messages (syslog):

ip_conntrack: table full, dropping packet.

How do I fix this error?

A. If you notice the above message in syslog, it looks like the conntrack database doesn’t have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system’s maximum memory size.

You can easily increase the number of maximal tracked connections, but be aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!

To print current limit type:
# sysctl net.ipv4.netfilter.ip_conntrack_max


To increase this limit to e.g. 12000, type:
# sysctl -w net.ipv4.netfilter.ip_conntrack_max=12000
Alternatively, add the following line to /etc/sysctl.conf file:
The following will tell you how many sessions are open right now:
# wc -l /proc/net/ip_conntrack

5000 /proc/net/ip_conntrack

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 12 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
12 comments… add one
  • blink4blog Jan 12, 2008 @ 15:30

    How about SuSEFirewall2? Are there any similar way to do the same? Thanks

  • 🐧 nixCraft Jan 12, 2008 @ 15:42


    Above instructions must work on Suse Linux.

  • we3cares Sep 23, 2008 @ 4:16

    Very Nice Article……..

    Like it….. :)

  • OQiis co. Nov 12, 2008 @ 2:44

    So nice solution.

    Eng. Mahmoud Al Sayed.

  • Georgi Georgiev Mar 7, 2009 @ 1:45

    It works for me too – I love you :)

  • d0r Apr 3, 2010 @ 21:49

    my server has 16 gb ram – i am hosting some VPS.
    one of the VPS is under syn ddos, the limit of conntrack is already at 300000 but the table is still full.
    i can set the limit to 3000000 and the table is always full.

    actually i use:
    net.ipv4.netfilter.ip_conntrack_max = 9527600
    net.ipv4.ip_conntrack_max = 9527600

    OS: centos 5

    is there a limit of max. conntrack value?


  • d0r Apr 3, 2010 @ 21:52

    [root@host4 ~]# wc -l /proc/net/ip_conntrack
    65143 /proc/net/ip_conntrack

    mhh… seems there is a limit of the max. conntrack value.
    of course i have done sysctl -p and done restarts etc., but it dont help.

  • Amos Jun 7, 2011 @ 7:29

    You can also get current count of entries in the connection table by reading /proc/sys/net/ipv4/netfilter/ip_conntrack_count.

    It’s much faster than a “wc -l” and useful for graphing/monitoring with collectd/zabbix/nagios etc.

  • lam seo website Jul 10, 2012 @ 7:48

    i try with this introduce but i don’t understand about conntrack, who can explain for me

  • Ballesh Apr 12, 2013 @ 15:46

    Good Article, very useful……………………………………..

  • farzin Aug 30, 2014 @ 15:20

    for centos 6.x it is changed to the following codes :

    To print current limit type:
    # sysctl net.nf_conntrack_max

    To increase this limit to e.g. 100000, type:
    # sysctl -w net.nf_conntrack_max=100000

    To make this settings permanent add the following line to /etc/sysctl.conf file:
    net.nf_conntrack_max = 100000

    The following will tell you how many sessions are open right now:
    # wc -l /proc/net/nf_conntrack

  • Deepak Aug 6, 2015 @ 12:55

    i am using centos 2.1 and ite not working actually i am not found this: net.ipv4.netfilter.ip_conntrack_max

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum