cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Animesh Chaturvedi (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-6473) Debian 7 Virtual Router ip_conntrack_max not set at boot
Date Sun, 02 Nov 2014 15:44:35 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-6473?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Animesh Chaturvedi updated CLOUDSTACK-6473:
-------------------------------------------
    Assignee: Sheng Yang

> Debian 7 Virtual Router ip_conntrack_max not set at boot
> --------------------------------------------------------
>
>                 Key: CLOUDSTACK-6473
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6473
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: Virtual Router
>    Affects Versions: 4.3.0
>         Environment: XenServer 6.2
> CloudStack 4.3.0
> Debian 7 SystemVM/Virtual Router
>            Reporter: Logan B
>            Assignee: Sheng Yang
>             Fix For: 4.5.0
>
>
> The Problem:
> The Debian 7 Virtual Router VMs for XenServer experiences intermittent connectivity problems.
 This affects all VMs behind the virtual router in various ways: SSH failures, Apache connections
fail, etc.
> This issue also affects various function within CloudStack that attempt to connect to
the Virtual Router (updating firewall rules, NAT, etc.)
> The Cause:
> It appears that the issues is being caused by a low default limit for the net.ipv4.netfilter.ip_conntrack_max
sysctl.  The issue can be easily diagnosed in /var/log/messages:
> Apr 22 15:45:34 r-5602-VM kernel: [ 1085.117498] nf_conntrack: table full, dropping packet.
> Apr 22 15:45:34 r-5602-VM kernel: [ 1085.133095] nf_conntrack: table full, dropping packet.
> Apr 22 15:45:34 r-5602-VM kernel: [ 1085.145440] nf_conntrack: table full, dropping packet.
> The default setting for ip_conntrack_max is '3796': 
> # sysctl net.ipv4.netfilter.ip_conntrack_max
> net.ipv4.netfilter.ip_conntrack_max = 3796
> As per /etc/sysctl.conf this setting should be '1000000':
> net.ipv4.netfilter.ip_conntrack_max=1000000
> It would appear that this setting is not being correctly applied when the virtual router
boots.
> The Solution:
> - A temporary workaround is to manually set the ip_conntrack_max sysctl to the correct
value:
> # sysctl -w net.ipv4.netfilter.ip_conntrack_max=1000000
> It's likely that this sysctl is being run at boot before the module is loaded, so it
doesn't take effect.  There are various solutions suggested around the web, any of which should
work fine.
> To resolve this problem a new System VM template should be created.  I'm assuming this
can be done in between CloudStack releases.  I know there is supposed to be a new template
released to fix the HeartBleed vulnerability, so this would be a good fix to include with
that updated template.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message