Results 1 to 2 of 2
  1. #1
    Newbie
    Join Date
    Feb 2011
    Posts
    4

    Default Problems nf_queue: full at 1024 entries, dropping packets(s)

    We installed a DL380 server with 2 NICs, 8GB RAM and two 2,33 GHz Processors.
    The network topology has a servers farm into a VLAN and the total of PC are 8000..
    The server was installed to take the IPS role and it will used in a bridge mode, so all traffic will
    througt Untangle:

    Topology:

    Internet
    |
    |
    |---Firewall-------Switch Core-----eth0---Untangle 8.0---eth1------Servers
    | (External) (Internal)
    | (Static) (Bridge)
    Hosts

    Eth0 has an static IP into severs VLAN.
    Eth1 make the bridging to the servers

    The VLANs are configured en Active Routes

    With few users the solution works fine,
    but when they are incremented in laboral hours we have these errors:

    Feb 26 11:12:08 ips kernel: [3040449.312662] ip_route_input failed
    Feb 26 11:12:09 ips kernel: [3040449.391760] ip_route_input failed
    Feb 26 11:12:09 ips kernel: [3040449.560718] ip_route_input failed
    Feb 26 11:12:09 ips kernel: [3040449.770357] ip_route_input failed
    Feb 26 11:12:09 ips kernel: [3040449.985887] __ratelimit: 92 messages suppressed
    Feb 26 11:12:09 ips kernel: [3040449.985891] Neighbour table overflow.

    We searched on Internet and found it error was due ARP table capacity.
    So, we ajusted the threshold value:

    echo 65536 > /proc/sys/net/ipv4/neigh/default/gc_thresh1

    That was a temporal solution, because it started to block all traffic:

    Feb 28 01:20:27 ips kernel: [158808.595082]
    Feb 28 08:00:38 ips kernel: [188802.100954] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 1
    Feb 28 08:00:38 ips kernel: [188802.103994] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 2
    Feb 28 08:00:38 ips kernel: [188802.104232] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 3
    Feb 28 08:00:38 ips kernel: [188802.105623] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 4
    Feb 28 08:00:38 ips kernel: [188802.107284] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 5
    Feb 28 08:00:38 ips kernel: [188802.107284] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 6
    Feb 28 08:00:38 ips kernel: [188802.107284] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 7
    Feb 28 08:00:38 ips kernel: [188802.107284] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 8
    Feb 28 08:00:38 ips kernel: [188802.107284] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 9
    Feb 28 08:00:38 ips kernel: [188802.109672] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 10
    Feb 28 08:00:43 ips kernel: [188807.587557] __ratelimit: 4221 messages suppressed
    Feb 28 08:00:43 ips kernel: [188807.587557] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 4232
    Feb 28 08:00:48 ips kernel: [188812.923437] __ratelimit: 5183 messages suppressed
    Feb 28 08:00:48 ips kernel: [188812.923437] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 9416
    Feb 28 08:00:53 ips kernel: [188818.279281] __ratelimit: 4883 messages suppressed
    Feb 28 08:00:53 ips kernel: [188818.279281] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 14300
    Feb 28 08:00:58 ips kernel: [188823.779683] __ratelimit: 4433 messages suppressed
    Feb 28 08:00:58 ips kernel: [188823.779683] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 18734
    Feb 28 08:01:03 ips kernel: [188829.138990] __ratelimit: 4726 messages suppressed
    Feb 28 08:01:03 ips kernel: [188829.138990] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 23461
    Feb 28 08:01:08 ips kernel: [188835.538110] __ratelimit: 4266 messages suppressed
    Feb 28 08:01:08 ips kernel: [188835.538110] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 27728
    Feb 28 08:01:13 ips kernel: [188840.498589] __ratelimit: 2522 messages suppressed
    Feb 28 08:01:13 ips kernel: [188840.498593] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 30251
    Feb 28 08:01:18 ips kernel: [188846.113169] __ratelimit: 3267 messages suppressed
    Feb 28 08:01:18 ips kernel: [188846.113173] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 33519
    Feb 28 08:01:23 ips kernel: [188851.857499] __ratelimit: 2532 messages suppressed
    Feb 28 08:01:23 ips kernel: [188851.857499] nf_queue: full at 1024 entries, dropping packets(s). Dropped: 36052


    # tcpdump -i eth1 -n

    39023 packets captured
    88828 packets received by filter
    49552 packets dropped by kernel

    This is the problem we have and we appretiate some help about so. Thanks.

  2. #2
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,040

    Default

    I don't think Untangle is for you.

    The IPS functionality in Untangle is pretty limited, so if that is the only reason you're using it, then I would suggest looking for another product.

    Secondly, if your ARP table is overflowing, you should start thinking about a network redesign. That is far too many devices on a local subnet.

    As for the nf_queue errors, the box can't handle the traffic load, so you're either going to have to start adding lots of traffic types to the bypass list. I would bypass everything except port 80 and port 443 to start. But if you're intention is to use this as an IPS, that will further degrade the effectiveness of the device.

    Untangle is primarily designed as an easy to drop in web and mail filter, not an IPS. If you want only IPS functionality, you should take a look at one of the dedicated snort platforms.
    m.


    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.

    It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2