[SOLVED]Syslog Flooded With "nf_conntrack" Errors, RT-AX88U

alipora

New Around Here
Hello

I am completely new here, and i am glad i found this forum and this great firmware.
i had stock frimware 3977 before flashing to Merlin, 384.15.
so going into the issue im having, basically the log is full of this :

Mar 5 11:15:50 kernel: nf_conntrack: expectation table full
Mar 5 11:15:50 kernel: nf_conntrack: expectation table full
Mar 5 11:15:50 kernel: nf_conntrack: expectation table full
Mar 5 11:15:50 kernel: nf_conntrack: expectation table full
Mar 5 11:15:50 kernel: nf_conntrack: expectation table full
Mar 5 11:15:50 kernel: nf_conntrack: expectation table full
Mar 5 11:15:50 kernel: nf_conntrack: expectation table full
Mar 5 11:15:59 kernel: nf_conntrack: expectation table full
Mar 5 11:16:00 kernel: nf_conntrack: expectation table full
Mar 5 11:16:00 kernel: nf_conntrack: expectation table full
Mar 5 11:16:00 kernel: nf_conntrack: expectation table full
Mar 5 11:16:00 kernel: nf_conntrack: expectation table full
Mar 5 11:16:22 kernel: nf_conntrack: expectation table full

i believe this has something to do with NAT, i tried a solution from 2019 from another thread:
https://www.snbforums.com/threads/nf_conntrack-expectation-table-full-and-other-log-oddities.55415/
and other one from 2015:
https://www.snbforums.com/threads/tcp-timeout-established-and-max.26580/page-2#post-200012

I did not want to change lots of stuff from kernel so i ended up by changing one thing which was ct_hashsize to 16384 but did not fix my problem. tcp connection limit is 300000

Please see my setting below:



please help me to fix this issue thanks
 

Makaveli

Very Senior Member
Are you actually having a performance issue or these are just showing up in the log and you are curious about it?
 

Maverickcdn

Regular Contributor
Mar 5 11:15:50 kernel: nf_conntrack: expectation table full
Do you run a webserver/torrent/ftp etc on your network?

Writing a higher value to /proc/sys/net/netfilter/nf_conntrack_expect_max should dispel the messages

Dont change any of the settings in the web GUI, it wont help
 

alipora

New Around Here
Are you actually having a performance issue or these are just showing up in the log and you are curious about it?
i am having bit latency and slowdowns over wifi and little bit on wired
edit: if there is no performance issues, should i just ignore it ? i dont really wanna see those in log
 

alipora

New Around Here
Do you run a webserver/torrent/ftp etc on your network?

Writing a higher value to /proc/sys/net/netfilter/nf_conntrack_expect_max should dispel the messages

Dont change any of the settings in the web GUI, it wont help
Thanks for reply, what value should i change that to ? should i reset nvram before ?
 

Maverickcdn

Regular Contributor
Not sure what the default value is on the AX88U, the AC86U was 52, RMerlin recommended 128, Ive run all kind of different values and never noticed any issues.

In an SSH terminal can you run
Code:
cat /proc/sys/net/netfilter/nf_conntrack_expect_max
And let us know what it has in it from stock.

Start with changing it to 128 and see where you get. The other thread you linked to has all in the info for setting up the script in nat-start to rewrite the value.

Im still curious if you run a webserver or anything on your network or do you just have lots of clients?
 

alipora

New Around Here
Not sure what the default value is on the AX88U, the AC86U was 52, RMerlin recommended 128, Ive run all kind of different values and never noticed any issues.

In an SSH terminal can you run
Code:
cat /proc/sys/net/netfilter/nf_conntrack_expect_max
And let us know what it has in it from stock.

Start with changing it to 128 and see where you get. The other thread you linked to has all in the info for setting up the script in nat-start to rewrite the value.

Im still curious if you run a webserver or anything on your network or do you just have lots of clients?
Thanks, 128 didnt work for me still error came up, now trying 216. stock value of expect_max was 108 for me.
i dont run anything, literally nothing not even vpn etc, just 10 - 11 wireless client
could you please let me know which thread/post for nat-start script ? im completely new thanks
 

Maverickcdn

Regular Contributor
Thanks, 128 didnt work for me still error came up, now trying 216. stock value of expect_max was 108 for me.
i dont run anything, literally nothing not even vpn etc, just 10 - 11 wireless client
could you please let me know which thread/post for nat-start script ? im completely new thanks
Curious... do you have a usb stick sharing samba? or a NAS

I've been trying to (in an extremely amateur fashion) track down a cause as to why some of us see these and others don't

I've since lowered mine to 240. almost 20 days no messages

step 0) enable jffs/scripts in webgui (reboot if not formatted already)
1)SSH into router
2) cd /jffs/scripts
3) nano nat-start
4)
Code:
#!/bin/sh

# increase nf_conntrack_expect_max

echo 240 > /proc/sys/net/netfilter/nf_conntrack_expect_max

logger -t conntrackscript "Value 240 written to nf_conntrack_expect_max, restarting conntrack"
sleep 2
service restart_conntrack
5) ctrl + x to exit, y to save
6) chmod a+rx /jffs/scripts/nat-start

Reboot or sh /jffs/scripts/nat-start and check the logs for the "Value 240 written.." line and run
Code:
cat /proc/sys/net/netfilter/nf_conntrack_expect_max
should now read 240
 

alipora

New Around Here
Curious... do you have a usb stick sharing samba? or a NAS

I've been trying to (in an extremely amateur fashion) track down a cause as to why some of us see these and others don't

I've since lowered mine to 240. almost 20 days no messages

step 0) enable jffs/scripts in webgui (reboot if not formatted already)
1)SSH into router
2) cd /jffs/scripts
3) nano nat-start
4)
Code:
#!/bin/sh

# increase nf_conntrack_expect_max

echo 240 > /proc/sys/net/netfilter/nf_conntrack_expect_max

logger -t conntrackscript "Value 240 written to nf_conntrack_expect_max, restarting conntrack"
sleep 2
service restart_conntrack
5) ctrl + x to exit, y to save
6) chmod a+rx /jffs/scripts/nat-start

Reboot or sh /jffs/scripts/nat-start and check the logs for the "Value 240 written.." line and run
Code:
cat /proc/sys/net/netfilter/nf_conntrack_expect_max
should now read 240
Thanks for the instruction, i ended up changing it to 384, they are gone for now ... i might try to lower it later to 300 or 250, i dont have usb or nas
also do you know anything about udp timeout ? whatsapp connection drops, reconnects once in a while
 

posthumous

New Around Here
Curious... do you have a usb stick sharing samba? or a NAS

I've been trying to (in an extremely amateur fashion) track down a cause as to why some of us see these and others don't
Thank you very much for this! I've been using your prescribed 240 for over 24hrs without a single error msg. Previously, every 30mins or so, my AC86U syslog would be spammed with "nf_conntrack: expectation table full".

I read somewhere the wifi IoT devices are the cause of this. Sure enough when disconnected all 12 of my IoT devices including Amazon Echo and Google Home for a couple hours, the error did not re-appear.
Hopefully that might give you a clue to track down why only some some of us are plagued with this.

Once again, thank you Maverickcdn
 

Prodeje79

Occasional Visitor
Found this thread and procedure to get my settings to 240. It appears to have worked, but I noticed this in the log:
May 5 01:12:41 conntrackscript: Value 240 written to nf_conntrack_expect_max, restarting conntrack
May 5 01:12:43 rc_service: service 2481:notify_rc restart_conntrack
May 5 01:12:43 modprobe: module nf_conntrack_proto_gre not found in modules.dep
May 5 01:12:43 modprobe: module nf_nat_proto_gre not found in modules.dep
May 5 01:12:43 modprobe: module nf_conntrack_pptp not found in modules.dep
May 5 01:12:43 modprobe: module nf_nat_pptp not found in modules.dep

Is this an issue?
 

Vexira

Part of the Furniture
Found this thread and procedure to get my settings to 240. It appears to have worked, but I noticed this in the log:
May 5 01:12:41 conntrackscript: Value 240 written to nf_conntrack_expect_max, restarting conntrack
May 5 01:12:43 rc_service: service 2481:notify_rc restart_conntrack
May 5 01:12:43 modprobe: module nf_conntrack_proto_gre not found in modules.dep
May 5 01:12:43 modprobe: module nf_nat_proto_gre not found in modules.dep
May 5 01:12:43 modprobe: module nf_conntrack_pptp not found in modules.dep
May 5 01:12:43 modprobe: module nf_nat_pptp not found in modules.dep

Is this an issue?
do you have a usb drive connected?
 

Vexira

Part of the Furniture
No and I got two new 86u. Both did this. I think it may be an error unrelated to this change?
Also try to format the jffs partition you need to enable th format jffs on next reboot under administration tab then system.
 

Vexira

Part of the Furniture
Yes! Flex QoS and a ton of IoT devices. Asus is router only with WiFi off. I use TP-Link Omada APs with cloud controller on my Synology NAS.
I got rid of the error so far by remove the Nat start script for the nf_contrack that I added before If I remember correctly Dave did some changes in flex that affect contrack.
 

dave14305

Part of the Furniture
I got rid of the error so far by remove the Nat start script for the nf_contrack that I added before If I remember correctly Dave did some changes in flex that affect contrack.
It was an opt-in setting to flush the conntrack table. Those messages in this thread are a result of the restart_conntrack unrelated to FlexQoS (thankfully).
 

Vexira

Part of the Furniture
It was an opt-in setting to flush the conntrack table. Those messages in this thread are a result of the restart_conntrack unrelated to FlexQoS (thankfully).
I wonder if the GUI tracked connections are related to the NF contrack error, I remember reading that you changed the max tracked connections to 300 as well as allowing it to refresh even when it went over please correct me if I'm wrong.

But on a positive note you have done such an amazing job with the script that after I removed the NF contrack script and reset my router to factory and did a manual re configure I'm able to have a stable and extremely clear video chat with my girlfriend who is overseas which is a first.
 

Vexira

Part of the Furniture
It was an opt-in setting to flush the conntrack table. Those messages in this thread are a result of the restart_conntrack unrelated to FlexQoS (thankfully).
Wait hold up wouldn't that cause a conflict with a script that is designed to re start nf_contrack if it hits a certain limit of connections?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top