Re: [SLUG] Neighbour table overflow Error

From: D A (divyangi2003@yahoo.com)
Date: Fri Jun 06 2003 - 13:31:46 EDT


Hello,
Thank you much for your reply. I have been working on
this issue since I sent out the question to this
mailing list, and realized that my test setup for
iptables could be an issue (I think). I am performing
this testing at work, and due to various reasons, the
following test setup (in a simplified form) is shown
below:

                                 Internet
                                    |
                                    |
                                  Router
                                    |
                                    |
                                  Switch
                                    |
                                    | (Main Network)
  --------------------------------------------------
            | ^ ^
            | | |
External IP | | |
        Test Firewall | |
Internal IP | | |
(192.1.1.1) | | | (192.1.1.2)
            |_____________| Test Machine
            
                                   (Gateway 192.1.1.1)

As you can see, the internal network feeds back to the
main network, could this be causing the arp tables to
fill out twice as faster? I tried disabling each
interface on the firewall, one at a time, with ip
forwarding enabled, without any error messages.

I will try out your suggestion of increasing arp cache
size, I will also use a switch for isolation of the
test machine into its own internal network. Hopefully
that will help.

Any other suggestions will be appreciated?

Thank you,
Divyangi
                 
--- SpamFree <SpamFree@tampabay.rr.com> wrote:
> On Friday June 06 2003 10:50 am, you wrote:
> > Hello,
> > While testing iptables, I came across the
> following
> > error messages in the /var/log/messages file:
> >
> > Jun 6 04:36:50 fw kernel: Neighbour table
> overflow.
> > Jun 6 04:36:51 fw kernel: Neighbour table
> overflow.
> > Jun 6 04:36:53 fw kernel NET: 18 messages
> suppressed.
> > Jun 6 04:36:53 fw: Neighbour table overflow.
> > Jun 6 04:37:42 fw kernel NET: 15 messages
> suppressed.
> > Jun 6 04:37:42 fw: Neighbour table overflow.
> > Jun 6 04:37:43 fw last message repeated 8 times
> > Jun 6 04:37:43 fw kernel NET: 2 messages
> suppressed.
> > Jun 6 04:37:43 fw kernel: Neighbour table
> overflow.
> > Jun 6 04:37:48 fw kernel NET: 22 messages
> suppressed.
> > Jun 6 04:37:48 fw: Neighbour table overflow.
> > Jun 6 04:37:54 fw kernel: NET: 6 messages
> suppressed.
> > Jun 6 04:37:54 fw kernel: Neighbour table
> overflow.
> > Jun 6 06:01:25 fw kernel: NET: 4 messages
> suppressed.
> >
> > I am using Redhat Linux 2.4.18-14smp on a HP
> Netserver
> > LP 1000R, dual 1.13 GHz Pentium III processors
> with
> > 512Mb of RAM and 20 GB Hard Drive and the iptables
> > implementation included with the OS. I am assuming
> the
> > hardware, and kernel version are appropriate for
> > iptables to run comfortably.
> >
> > A search on google indicats that such errors can
> be
> > caused if the loopback interface is mis-configured
> or
> > is 'down'. However, I have checked to make sure
> that
> > the loopback interface was 'up' and had the
> standard
> > configuration. Some posts indicated that this
> error
> > can be caused due to arp handling problems in
> earlier
> > version of Linux (which should not be an issue
> with
> > the 2.4 kernel ?).
> >
> > I have tried various combination of iptables
> setup,
> > such as loading and unloading the different
> modules it
> > used (without loading any iptables rules),
> watching
> > the logs with ip forwarding enabled/ disabled
> > (/proc/sys/net/ipv4/ip_forward) etc for the sake
> of
> > eliminating my ruleset or any of my configuration
> > options as the cause. The error appears
> sporadically,
> > but I the pattern I have noticed is that anytime
> ip
> > forwarding is enabled, the arp cache starts
> filling up
> > and these error eventually appear (even in the
> absense
> > of any iptables). I have configured iptables
> according
> > to the tutorials at netfilter.org with additional
> > rules to suit my environment.
> >
> > I know this issue has been discussed much on the
> > Internet, however, none of the suggested solutions
> are
> > helping in my case. I would truly appreciate any
> > input/ suggestions on this issue.
> >
> > Thanks,
> > Divyangi
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Calendar - Free online calendar with sync
> to Outlook(TM).
> > http://calendar.yahoo.com
>
>
> Good job troubleshooting and researching the
> problem. It is unfortunate that
> the solution still eluded you. I hate it when that
> happens.
>
> The error is not a terribly big problem. Basically
> it means that your arp
> table has reached it's maximum capacity. As you have
> already discussed this
> can be due to a down interface, especially a down
> loopback interface but,
> this is not the case in your situation.
>
> The reason the it occurs when you enable IP
> forwarding is because the
> router(IP forwarding) tries to keep track of all the
> systems on the subnet,
> likely due to proxy-arp. In this case it is
> recording all of the arp traffic
> on your cable modem? subnet. Your arp table fills up
> rapidly and runs out of
> room for new entries before older entries have a
> chance to be aged out.
>
> One possible solution to this issue would be to
> disable IP frowarding. If this
> is not possible, then you may wish to increase the
> space allotted to your arp
> cache. You can see what it is by doing the command:
> cat /proc/sys/net/ipv4/neigh/default/gc_thresh3
>
> On my machine it defaults to 1024. You could try
> doubling this with the
> command:
> echo 2048 >
> /proc/sys/net/ipv4/neigh/default/gc_thresh3
>
> Try seeing if this works. I suspect that either of
> these solutions will fix
> your problem but, it may even be necessary to use
> both solutions at once.
> Finally, remember that the setting you echo into
> /proc will reset to default
> if you reboot. If you need it to be permanent then
> you will either need to do
> some kernel hacking or you will need to set up a
> script to echo the new value
> into /proc each time you boot.
>
>

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:18:43 EDT