Questions to Determine

• What is the current conntrack table size and its configured maximum (nf_conntrack_max)?
• How many active connections are in the conntrack table during peak hours?
• Are there nf_conntrack: table full messages in dmesg or syslog?
• What is the conntrack timeout for established TCP connections (default is 432000 seconds / 5 days)?
• Are there stale or long-lived entries consuming conntrack slots unnecessarily?
• Which internal hosts or destinations account for the most conntrack entries?
• Is the NAT gateway using a single external IP, or a pool of IPs?
• Could the issue also be source port exhaustion (65535 ports per external IP per destination)?
• Are there any connection-heavy applications (crawlers, monitoring, chatty microservices) generating excessive entries?
• What are the current kernel parameters for conntrack tuning?