Are you sure nf_conntrack_max is the problem? do you see "hashtable full drop connection" on dmesg? as a general advise , run conntrack -L (or cat /proc/xxx session table) when problem happens and analyse where the session comes from first. Cheers. On Thu, Jun 14, 2012 at 5:52 PM, José Pablo Pérez <josepablo@xxxxxxxxxxxx> wrote: > Hello again guys... > > I have a webserver who should be able to handle 10,000 established > requests, right now its been tested with 1000 but it fails because of > to many connections on TIME_WAIT > > I have been reading prior to posting and it seems I have two options: > > Increse these two: > sysctl -a | grep conntrack | grep net.nf_conntrack_max > net.nf_conntrack_max = 31772 > > sysctl -w net.netfilter.nf_conntrack_max=131072 > echo 32768 > /sys/module/nf_conntrack/parameters/hashsize > > Or decrease the timeouts.. which right now I have... > > Right now I have: > > sysctl -a | grep conntrack | grep timeout > net.netfilter.nf_conntrack_generic_timeout = 600 > net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120 > net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60 > net.netfilter.nf_conntrack_tcp_timeout_established = 432000 > net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 > net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 > net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30 > net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 > net.netfilter.nf_conntrack_tcp_timeout_close = 10 > net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300 > net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300 > net.netfilter.nf_conntrack_udp_timeout = 30 > net.netfilter.nf_conntrack_udp_timeout_stream = 180 > net.netfilter.nf_conntrack_icmp_timeout = 30 > net.netfilter.nf_conntrack_events_retry_timeout = 15 > > > > Iam more keen to the second because high > net.ipv4.netfilter.ip_conntrack_max according to what I read can lead > to system freeze.... so can anybody offer me a reference to tune and > lower these paratemers? I tried lowering the > net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait to 5 ... but > that didnt change anything much. > > Thanks..! > > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
