Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
Re: [suse-security] still have problems with "kernel: ip_conntrack: table full, dropping packet."
  • From: Marc Samendinger <marc.samendinger@xxxxxxxxxxxx>
  • Date: Wed, 9 Mar 2005 09:59:28 +0100
  • Message-id: <20050309085928.GD14027@xxxxxxxxxxxxxxxxxxxxxx>
On Mon, Mar 07, 2005 at 05:29:30PM +0100, Ludwig Nussel wrote:
> Ludwig Nussel wrote:
> > Sandu Mihai wrote:
> > > Upgrading to SuSE 9.2 will not solve the problem in any way. I had the
> > > same problem, and it was solved by removing the ip_conntrack module from
> > > that server.
> > > I have tryied to bump up the conntrack table size using /etc/sysctl.conf
> > > and boot.sysctl, it had no effect whatsoever. The system in question is
> > > a SuSE 9.2 Proffesional with the latest patches applied.

I hope it's OK if I'll jump in this thread. I have the same problem with
a SuSE 9.0 Gateway.

For your Information:
behind the Gateway theres a proxy Server (192.168.100.2) that connects
to a Trendmicro Viruswall on the Gateway (192.168.100.1:8080)

> > The problem is in our bug tracking system but it's hard to
> > reproduce. Can you please post the content of /proc/net/ip_conntrack
> > and /proc/net/ip_conntrack_expect when the problem occurs?

output is attached

> To those seeing the problem on SUSE LINUX 9.2: Can you please try
> these settings and see if the problem occurs again?
>
> echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
> echo 255 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid

Any tips on what to do with my SuSE 9.0 box?

> This will change the way TCP window tracking works and makes the
> kernel log pakets that look suspicious to conntrack.
>
> Thanks,
> cu
> Ludwig

TIA
marc
< Previous Next >
Follow Ups
References