Article ID: 120056, created on Feb 10, 2014, last review on May 10, 2014

  • Applies to:
  • Virtuozzo 6.0


There are many records for connection tracking in the file "/proc/self/net/nf_conntrack" on the node for a container's IP address "xx.xx.xx.73":

ipv4     2 tcp      6 363312 ESTABLISHED src=xx.xx.xx.73 dst=yy.yy.yy.254 sport=80 dport=60440 [UNREPLIED] src=yy.yy.yy.254 dst=xx.xx.xx.73 sport=60440 dport=80 mark=0 secmark=0 use=2
ipv4     2 tcp      6 363090 ESTABLISHED src=xx.xx.xx.73 dst= sport=80 dport=63423 [UNREPLIED] src=yy.yy.yy.61 dst=xx.xx.xx.73 sport=63423 dport=80 mark=0 secmark=0 use=2
ipv4     2 tcp      6 362908 ESTABLISHED src=xx.xx.xx.73 dst=yy.yy.yy.6 sport=80 dport=1853 [UNREPLIED] src=yy.yy.yy.6 dst=xx.xx.xx.73 sport=1853 dport=80 mark=0 secmark=0 use=2


Possible causes for this to happen are:

  1. slow network connection between this container and the clients who use the service, Apache port 80) in this case.
  2. DDoS attack (SYN flood);
  3. traffic shaping enabled for a container.

The situation occurs in the following way:

  1. the client sends SYN packet to the server;
  2. the server replies with ACK packet and then sends data;
  3. while this backward packets is on the way to the client, the latter sends RST or FIN to terminate the connection;
  4. the connection gets closed on the client's side and on the server's side, but since ACK was seen in one direction only, the connection tracking is not initiated properly.

As the result, the table can be overflown, those records will be kept for a long time, 5 days in the default configuration.


There are several publicly suggested solutions:

  1. decrease the value of net.netfilter.nf_conntrack_tcp_timeout_established from 432000 seconds (5 days) to some reasonable low value, e.g. 7200 (2 hours);

    [root@hwnode ~]# sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7200 >> /etc/sysctl.conf
  2. disable connection tracking for affected services/ports in the container (-j NOTRACK);

  3. set net.netfilter.nf_conntrack_tcp_loose to 0.

    [root@hwnode ~]# sysctl -w net.netfilter.nf_conntrack_tcp_loose=0 >> /etc/sysctl.conf

Search Words

conntrack overuse from container

c62e8726973f80975db0531f1ed5c6a2 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef

Email subscription for changes to this article
Save as PDF