Tonight system cutover, after modifying the component configuration to restart the service, the host rammed live, operating system commands can not be executed, the host can not log
After the component service is stopped, and returned to normal
View Host mesg information, a large number of kernel exception information
kernel: nf_conntrack: table full, dropping packet
This is the error message iptables "connection tracking table is full, start dropping."
(After discontinued operations) Check socket usage by ss
Total: 5281 (kernel 5488) TCP: 3070 (estab 3031, closed 13, orphaned 0, synrecv 0, timewait 12/0), ports 1182
Solution:
1, closed iptables, but security requirements, security policies must enable iptables
2, increasing the size iptables tracking table, corresponding to adjust system parameters
net.netfilter.nf_conntrack_max = 655360 net.nf_conntrack_max = 655360
65536 nf_conntrack_max default, modify the values of these two parameters in the /etc/sysctl.conf, turn up ten times
Total: 146262 (kernel 146338) TCP: 143817 (estab 143634, closed 156, orphaned 0, synrecv 0, timewait 155/0), ports 1161
Start normal service program