In message <200305290113.58552.prez@xxxxxxxxxxxxx> you write: > We have a system that acts as a router, however any new inbound connection for > any machine behind this router is re-directed to a specific port on the local > machine, where an application responds as if it were the system behind the > router. These systems experience some very high volumes of traffic Sounds a lot like something is happening to the FIN or RST packets: as soon as conntrack sees a FIN or RST, it'll leave ESTABLISHED and timeout fairly quickly. Now, there are several simple things you can do here, as well as dropping the ESTABLISHED timeout: 1) Try 2.4.21-rc5. The hashing algorithm was markedly improved, which you could well be hitting. 2) You set the conntrack_max to 524280, but on a 1GB machine you'll only have about 8192 hash chains, making each chain 64 long. Up the hashsize module parameter to around 100000 (or edit the kernel source if builtin, sorry). There are certainly more intrusive measures we can investigate, too. > We have multiple systems performing this task (essentially for load balancing > and to remove a single point of faulure). Um, how are you load balancing? Remember, if the connection tracking code doesn't see all the packets for a connection, it can't work. Cheers, Rusty. -- Anyone who quotes me in their sig is an idiot. -- Rusty Russell.
