NSX-v FTP connections drop : nf_conntrack expectation table full
Article ID: 321258
Updated On: 01-08-2025
Products
VMware NSX Data Center for vSphere
Issue/Introduction
- VMware NSX Data Center for vSphere 6.4.9 and earlier is deployed.
- Edge drops FTP connections to server intermittently.
- ESGs conntrack (expectation) table becomes full.
nf_ct_ftp: dropping packet: cannot add expectationis encountered invshield_edge_logs.all.nf_conntrack: expectation table fullis also observed invshield_edge_logs.all.
Environment
VMware NSX Data Center for vSphere 6.4.x
Cause
This issue occurs when the actual number of FTP flows exceed the limit.
In flow tables, there are higher number of forward (dport) and reverse (sport) FTP connections, which surpasses the default expectation table size of 128.
The default max table size depends on edge size:
compact: 64
large/quadlarge: 128
xlarge: 256
To monitor the expectation table count:
"conntrack -C expect" shows the number of entries in the table.
"conntrack -L expect" dumps the table.
In flow tables, there are higher number of forward (dport) and reverse (sport) FTP connections, which surpasses the default expectation table size of 128.
The default max table size depends on edge size:
compact: 64
large/quadlarge: 128
xlarge: 256
To monitor the expectation table count:
"conntrack -C expect" shows the number of entries in the table.
"conntrack -L expect" dumps the table.
Resolution
This issue is resolved in VMware NSX Data Center for vSphere 6.4.10 and later.
Feedback
Yes
No
Powered by
