we ran into a similar problem when we put 6000 machines (don't ask) behind a bridging firewall. if i remember correctly, the connection table in the kernel filled up and the kernel dropped the entry from the table. since the connection tracking entry was dropped, the entire tcp connection was blocked. load stayed very low, put throughput went through the floor.
if i remember correctly, the kernel logged this in /var/log/messages (assuming that your syslog is logging kernel messages). unfortunately, in our case (~130 Mb/s of traffic and 6000 machines) the solution was to turn off connection tracking. we might have been able to tweak the kernel, but our application didn't really require stateful packet filtering. I hope this helps. -c -- Christopher E. Cramer, Ph.D. University Information Technology Security Officer Duke University, Office of Information Technology 253A North Building, Box 90132, Durham, NC 27708-0291 PH: 919-660-7003 FAX: 919-660-7076 CELL: 919-210-0528 PGP Public Key: http://www.duke.edu/~cramer/cramer.pgp On Tue, 2003-04-01 at 03:05, Joao Carvalho wrote: > the ram shouldn't be a problem either : > total used free shared buffers cached > Mem: 222760 67208 155552 0 19464 14332 > -/+ buffers/cache: 33412 189348 > Swap: 1028152 0 1028152 > > > > On Tuesday 01 April 2003 08:57, you wrote: > > Hello Joao Carvalho, > > Tuesday, April 1, 2003, 10:42:48, you wrote: > > JC> Hi > > JC> i am trying to put together an bridge with shapping and firewalling > > capacity. JC> Ok i have it all now together working ok , my problem is that > > the performance JC> will go down the tube if there are to many connections, > > but the processor will JC> not show any load. > > > > JC> with is excelent. > > JC> Now for my problem , i connected the bridge with one board to the > > router with JC> a crossover cable, and the other one to the network. > > JC> This network has a lot of clients, when i did an line count in > > JC> /proc/sys/net/ipv4/ip_conntrack_max > > JC> i got more than 23000 conections. > > > > JC> what happened was that the outgoing trafic went from 18Mb to 7Mb, speed > > in JC> opening webpages went down it took about 10 more seconds to open > > webpage. How much the RAM on your box? > > > > JC> First i thought that there might be an bottleneck in iptables or > > netfilter or JC> even in connection tracking so i disconnected these > > options in the kernel but JC> the result was the same, what really is > > strange that the processor load JC> continues 0.00 0.00 0.00 . > > It should be so if You haven't any other processes except of the kernel. > > That values is the number of processes in the system run queue averaged > > over various periods of time (1, 5 and 15 min by default). > > > > JC> It is an AMD Athlon XP 2000+. > > JC> the motherboard is an top EPOX , and the ethernet cards are > > intelpro100. JC> does anyone have an sugestion why this is happening and > > how to fix that.
signature.asc
Description: This is a digitally signed message part
