Created on 10-03-2016 03:09 AM Edited on 05-26-2022 07:06 AM By Anonymous
Description
If AO has too many connections it may reject other TCP connection. This article will describe how to increase max connection value in AO in order to increase the amount of connections AO can take.
If you have this issue, you will see many error messages "kernel: ip_conntrack: table full, dropping packet.” in /var/log/messages file.
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count (current number of iptable’s connection table)
cat /proc/sys/net/ipv4/ip_conntrack_max (max number connection table)
cat /proc/sys/net/netfilter/nf_conntrack_count
cat /proc/sys/net/netfilter/nf_conntrack_max
Our configuration default value is 65536
# emacs /etc/sysctl.conf
net.ipv4.netfilter.ip_conntrack_max = 131072
# emacs /etc/sysctl.conf
net.nf_conntrack_max = 131072
Then, modify following file too.
# emacs /etc/sysconfig/iptables-config
IPTABLES_MODULES_UNLOAD="no"
VA executes phProvision script in init.d. Then, need to modify following files too. (e.g. for CentOS5 - VA version - 3.7.x)
/opt/phoenix/config/sys/etc/etc_sysctl.conf.el5x32
/opt/phoenix/config/sys/etc/etc_sysctl.conf.el5x64
service iptables restart
/sbin/sysctl -p
This should only be applied if you have run out of TCP connections
ALL
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.