Linux Increase TCP Port Range with net.ipv4.ip_local_port_range Kernel Parameter

Posted on in Categories High performance computing, Linux, Linux Scalability, Networking, Troubleshooting, Tuning last updated September 23, 2017

Linux Local Port Range
If your Linux server is opening lots of outgoing network connections, you need to increase local port range. By default range is small. For example a squid proxy server can come under fire if it runs out of ports. Other example includes heavy traffic network servers, like nginx load balancers, LXD vm and more.

You can use the sysctl command to to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/. Please note that this hack is only useful for high bandwidth, busy Linux servers or large scale grid servers.

How to find current port range type

Type the following cat command:
$ cat /proc/sys/net/ipv4/ip_local_port_range
OR use the sysctl command:
$ sysctl net.ipv4.ip_local_port_range
Sample outputs:

net.ipv4.ip_local_port_range = 32768    61000

Set new local port range

You can set the range with any one of the following command. You must be root user:
# echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
OR
$ sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"
The above defines the local port range that is used by TCP and UDP choose the local port. The first number is the first, the second the last local port number. If possible, it is better these numbers have different parity i.e. one even and one odd values. The default values are 32768 and 60999 respectively or whatever set by your distro or sysadmin. In this example, 1024 is not odd number and 65535 is odd number. Otherwise you will get an warning that read as follows:

ip_local_port_range: prefer different parity for start/end values.

Linux increase ip_local_port_range TCP port range using sysctl.conf

Finally, edit /etc/sysctl.conf file, to make changes to /proc filesystem permanently i.e. append the following line to your /etc/sysctl.conf file:
# increase system IP port limits
net.ipv4.ip_local_port_range = 1024 65535

How do I see all tcp/udp/ip session info

Use the ss command/netstat command
$ netstat -s | more
$ netstat -st #tcp
$ netstat -su #udp
$ netstat -sw #raw
$ netstat -nap
$ netstat -naptu | more

Sample outputs:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 172.16.3.1:11211        172.16.3.4:49806        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.4:49796        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.3:57004        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        10.105.28.42:50818      TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40514        TIME_WAIT   -               
tcp        0      0 172.16.3.1:3306         10.105.28.44:37984      TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.3:57008        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40508        TIME_WAIT   -               
tcp        0      0 172.16.3.1:3306         10.105.28.44:38080      TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40500        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.4:49774        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40462        TIME_WAIT   -               
tcp        0      0 172.16.3.1:3306         172.16.3.2:40806        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40518        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40472        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40442        TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40414        TIME_WAIT   -               
tcp        0      0 172.16.3.1:3306         10.105.28.44:38066      TIME_WAIT   -               
tcp        0      0 172.16.3.1:11211        172.16.3.2:40432        TIME_WAIT   -               
...
..

Or use the ss command:
$ ss -s
Sample outputs:

Total: 923 (kernel 39850)
TCP:   439 (estab 6, closed 423, orphaned 0, synrecv 0, timewait 370/0), ports 0
 
Transport Total     IP        IPv6
*	  39850     -         -        
RAW	  0         0         0        
UDP	  7         6         1        
TCP	  16        15        1        
INET	  23        21        2        
FRAG	  0         0         0

For more info read the following man pages:
$ man sysctl
$ man 5 sysctl.conf
$ man ss
$ man netstat

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

14 comment

  1. worth mentioning…

    when adding ip_local_port_range to your sysctl.conf file, i had to use a tab between the 2 values or else the 2nd value was not being read correctly.

    centos5.2 w/ 2.6.18 vanilla.

    ciao.

  2. When I run ‘echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range’ I keep getting:

    -bash: /proc/sys/net/ipv4/ip_local_port_range: Permission denied

    Any ideas?

        1. @kellogs
          idiot, pull up your big boy pants and use root when necessary.

          root gestapo stoppers unite

        2. What a moron. It’s the correct advice. You could do it with sudo, but for something like this, meh!

  3. Thanks!

    I have succeeded to get rid of “haproxy Connect() failed for backend adsapp: no free ports” error mesages using info in this article.

  4. I have changed the value to 31000 65535 but after few days it again came back to 1024 65535. May I know what is the reason for this ?

    I used the following to change
    echo 31000 65535 > /proc/sys/net/ipv4/ip_local_port_range

    Thanks in advance

Comments are closed.