hardware problem ?

Keith Morse kgmorse
Mon May 17 11:58:24 PDT 2004 

On Sun, 18 Jan 2004, Vu Pham wrote:

> 
> ----- Original Message ----- 
> From: "Net Llama!" <netllama at linux-sxs.org>
> To: <linux-users at linux-sxs.org>
> Sent: Sunday, January 18, 2004 6:21 PM
> Subject: Re: hardware problem ?
> 
> 
> >
> > No, the problem is the very large number of tcp/ip connections hitting
> > your box.  You need to increase the number of connection tracking table
> > entries.  You can review your table with:
> >
> > # cat /proc/net/ip_conntrack
> >
> > The max number of connections is set in
> >
> > # cat /proc/sys/net/ipv4/ip_conntrack_max
> >
> > You can increase it with:
> >
> > # echo "some_number" > /proc/sys/net/ipv4/ip_conntrack_max
> 
> Thanks a lot for this tip. I am googling for how to fix this. I will add
> this now.
> 
> >
> > Did the output of ifconfig for each interface show any errors?  What
> > kind of NIC(s) do you have?  There are some cases of the old eepro100
> > driver hanging under very heavy network load traffic (like you
> > apparently have).
> 
> I viewed ifconfig -all this morning  and there were no error reported.
> if0 is the main network interface that connects to the Internet.
> if1 is the network card for internal workstation
> if2 is the network card for backup, it connects to the Internet thru an ISDN
> line.
> 
> the gateway is for the router on if0.
> 
> This configuration has worked for about 8 months, then suddenly 3 weeks ago,
> and then this morning, that problem occurred.
> 
> It *temporarily fixed it by restarting the server.


Then be very suspicious.  What you describe above sounds exactly like the 
scenario I experienced when a ms-blast worm struck our internal 
infrastructure.  I'd recommend at least looking at the packets flowing 
thru the firewall with tools like tcpdump (simplest), ethereal (more 
complex but easier to read), and ntop (seriously slick tool).  My firewall 
supports about 250 nodes and never had a problem with ip_conntrack_max 
until that ms-blast worm.

AND...

permit few/deny all for BOTH directions of packets thru a firewall.

More information about the Linux-users mailing list