> - net.netfilter.nf_conntrack_max = 265535 > - net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 > => this proves that netfiler is indeed running on this machine > and might be responsible for session drops. 265k sessions is > very low for the large time_wait. It limits to about 2k > sessions/s, including local connections on loopback, etc... > > You should then increase nf_conntrack_max and nf_conntrack_buckets > to about nf_conntrack_max/16, and reduce > nf_conntrack_tcp_timeout_time_wait > to about 30 seconds. >
Minor nit... He has: net.netfilter.nf_conntrack_count = 0 Which if I am not mistaken, indicates connection tracking although in the kernel, it is not being used. (No firewall rules triggering it).
