ping状态

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@sxty01 ~]# ping 10.99.160.97
PING 10.99.160.97 (10.99.160.97) 56(84) bytes of data.
64 bytes from 10.99.160.97: icmp_seq=23 ttl=64 time=0.567 ms
64 bytes from 10.99.160.97: icmp_seq=24 ttl=64 time=0.561 ms
64 bytes from 10.99.160.97: icmp_seq=25 ttl=64 time=0.564 ms
64 bytes from 10.99.160.97: icmp_seq=26 ttl=64 time=0.583 ms
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
64 bytes from 10.99.160.97: icmp_seq=29 ttl=64 time=0.593 ms
64 bytes from 10.99.160.97: icmp_seq=30 ttl=64 time=0.570 ms
^C
--- 10.99.160.97 ping statistics ---
30 packets transmitted, 28 received, 6% packet loss, time 29001ms
rtt min/avg/max/mdev = 0.489/0.565/0.702/0.044 ms

查看日志

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@sxty01 ~]# tail  -n 1000 /var/log/messages
Nov  9 10:25:10 sxty01 ceph-mon: 2021-11-09 10:25:10.206 7f8c881a7700 -1 mon.sxty01@0(leader) e1 get_health_metrics reporting 48 slow ops, oldest is osd_failure(failed timeout osd.0 10.99.160.100:6800/12620 for 184sec e248 v248)
Nov  9 10:25:12 sxty01 kernel: net_ratelimit: 65652 callbacks suppressed
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet
Nov  9 10:25:12 sxty01 kernel: nf_conntrack: table full, dropping packet

查看当前服务器的最大连接数

1
2
[root@sxty01 ~]# cat /proc/sys/net/netfilter/nf_conntrack_max
262144

查看当前占用的连接数

1
2
[root@sxty01 ~]# cat /proc/sys/net/netfilter/nf_conntrack_count
262144

连接数即将沾满,所以会导致ping包丢失的现象!

查看会话

1
2
3
4
5
6
cat /proc/net/nf_conntrack
ipv4     2 tcp      6 96 TIME_WAIT src=220.250.70.89 dst=42.236.3.122 sport=44926 dport=5558 src=42.236.3.122 dst=220.250.70.89 sport=5558 dport=44926 [ASSURED] mark=0 zone=4108 use=2
ipv4     2 tcp      6 26 TIME_WAIT src=116.178.31.115 dst=220.250.70.89 sport=11494 dport=5558 src=220.250.70.89 dst=116.178.31.115 sport=5558 dport=11494 [ASSURED] mark=0 zone=4108 use=2
ipv4     2 tcp      6 86 TIME_WAIT src=220.250.70.89 dst=42.236.3.112 sport=60115 dport=5558 src=42.236.3.112 dst=220.250.70.89 sport=5558 dport=60115 [ASSURED] mark=0 zone=4108 use=2
ipv4     2 tcp      6 63 TIME_WAIT src=220.250.70.89 dst=42.236.3.122 sport=58592 dport=5558 src=42.236.3.122 dst=220.250.70.89 sport=5558 dport=58592 [ASSURED] mark=0 zone=4108 use=2
ipv4     2 tcp      6 41 TIME_WAIT src=171.37.104.15 dst=220.250.70.89 sport=5347 dport=5558 src=220.250.70.89 dst=171.37.104.15 sport=5558 dport=5347 [ASSURED] mark=0 zone=4108 use=2

如果出现文件不存在

1
2
3
[root@hb-sjz-wafnode-4 ~]# cat /proc/sys/net/netfilter/nf_conntrack_max: No such file or directory
-bash: cat:: command not found
[root@hb-sjz-wafnode-4 ~]# modprobe ip_conntrack

处理方案:

1)扩大最大限制

1
2
3
4
5
6
7
8
9
cat >> /etc/sysctl.conf << EOF
net.netfilter.nf_conntrack_max = 355350
net.netfilter.nf_conntrack_tcp_timeout_established = 3
EOF

#哈希表项最大值
net.ipv4.netfilter.nf_conntrack_max = 655350
#超时时间,默认情况下 timeout 是5天(432000秒)
net.ipv4.netfilter.nf_conntrack_tcp_timeout_established = 1200