On Fri, Mar 06, 2009 at 05:20:48PM -0500, John Lauro wrote: > > - net.netfilter.nf_conntrack_max = 265535 > > - net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 > > => this proves that netfiler is indeed running on this machine > > and might be responsible for session drops. 265k sessions is > > very low for the large time_wait. It limits to about 2k > > sessions/s, including local connections on loopback, etc... > > > > You should then increase nf_conntrack_max and nf_conntrack_buckets > > to about nf_conntrack_max/16, and reduce > > nf_conntrack_tcp_timeout_time_wait > > to about 30 seconds. > > > > Minor nit... > He has: net.netfilter.nf_conntrack_count = 0 > Which if I am not mistaken, indicates connection tracking although in the > kernel, it is not being used.
or maybe it was checked while the machine was not being used ? > (No firewall rules triggering it). you don't need firewall rules to trigger conntrack. Once loaded, it does its work. Some people even use it to defragment packets :-) Regards, Willy
