8800NL log entry: nf_conntrack: expectation table full

Discussions for BiPAC 8800 series: 8800NL, 8800NLR2, 8800AXL, 8800AXLR2
Post Reply
DaveDave
Posts: 12
Joined: Tue Oct 13, 2015 9:41 am

Re: 8800NL log entry: nf_conntrack: expectation table full

Post by DaveDave »

I'm a couple of decades out of practice with unix-stuff now, but having spent a few hours delving into the router and various web pages I now have some observations but no real insight or cure:

* the errors are generated simply by web page accesses (eg http://www.theregister.co.uk, but pretty much any "busy" web site seems to do it), and to the extent that I get them __ratelimit-ed too - no bit torrents running.
* Not all machines cause the problem.
* The expectation table seems small (cat /proc/sys/net/netfilter/nf_conntrack_expect_max) at 32 entries, but I can't find much info about what is normal.
* When I open just http://www.theregister.co.uk, the main conntrack table shows 400+ entries (both cat /proc/net/ip_conntrack and cat /proc/net/nf_conntrack_expect), seems a lot, but they decay fairly soon, this happens when I access the page from a machine that both causes expectation full errors and one that doesn't.
* Having increased the expectation table (echo NN > /proc/sys/net/netfilter/nf_conntrack_expect_max, where I tried NN= 64 then 128) I can see that this single page can generate over 100 expectation entries (when accessed from some but not all machines that is).
* Looking at the contents of the expectation table immediately after the page opens ( cat /proc/net/ip_conntrack_expect, and cat /proc/net/nf_conntrack_expect being similar but slightly different in form) and taking the dport numbers shown and looking for the matching lines in the main conntrack table I see that these are mainly for 53 (DNS) and 443 (SSL) connections.

So now I'm wondering:

* What effect does having entries dropped from the expectation table have on the actual browsing, the pages seem to display correctly after all.
* Should I be surprised that DNS and SSL connections end up in the expectation table (I thought it was for the likes of FTP).
* And if DNS and SSL traffic does end up there, why does the problem manifest itself when the web page is accessed from some machines and not others.
* Is the nf_conntrack_expect_max = 32 just too low a value, and what are the memory consequences of increasing it to, say, 1000+ (to cope with multiple page opening), and can I make that remembered through a reboot?
* And / or, what is actually causing this.
Top
Post Reply

Return to “BiPAC 8800 series”