No EAP session matching the State variable (and other various messages)

John Douglass john.douglass at oit.gatech.edu
Mon Sep 30 19:17:09 CEST 2013 

What exactly do error messages like:

Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for 
request 782076 in component authenticate module peap.
Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request 
from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished 
request 187554
Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet 
from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 
207181.

mean?

I have attmpted to rectify by seeing if modifying the following 
configuration options within eap.conf get rid of these.

#  A list is maintained to correlate EAP-Response
         #  packets with EAP-Request packets.  After a
         #  configurable length of time, entries in the list
         #  expire, and are deleted.
         #
         timer_expire     = 120

     #
         #  Help prevent DoS attacks by limiting the number of
         #  sessions that the server is tracking.  Most systems
         #  can handle ~30 EAP sessions/s, so the default limit
         #  of 4096 should be OK.
         max_sessions = 16384

I have even gotten EAP caching (using the Cached-Session-Policy) to two 
hours now.

These error messages especially appear to occur en masse at or near the 
hour and then seem to abruptly stop:

Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 12:59:30 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
[ SNIPPED ]
Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 13:01:37 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.
Sep 30 13:01:38 newdvlana radiusd[18407]: rlm_eap: No EAP session 
matching the State variable.

Which appear in conjunction with:

Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request 
from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished 
request 187554
Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet 
from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 
207181.
Sep 30 12:58:52 newdvlanb radiusd[10152]: Discarding conflicting packet 
from client Rich-core-WiSM-E port 32769 - ID: 234 due to recent request 
213661.

As well as sometimes:

Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for 
request 782076 in component authenticate module peap.
Sep 30 12:01:04 dvlanc radiusd[16053]: WARNING: Child is hung for 
request 789836 in component authenticate module peap.
Sep 30 12:01:07 dvlanc radiusd[16053]: WARNING: Child is hung for 
request 789836 in component authenticate module peap.

An oddity is that the issues appear cross server at about the same times:

Sep 30 11:57:25 dvlanc radiusd[16053]: WARNING: Child is hung for 
request 754502 in component authenticate module peap.
Sep 30 11:57:36 newdvlanb radiusd[11924]: WARNING: Child is hung for 
request 828962 in component authenticate module peap.

Any one have any similar battle scars that I can learn from (server 
performance tweaks, optimizations, etc?). I've optimized as best I can 
the SQL component. This all seems related to the samba/winbind/ntlm_auth.

- John Douglass, Sr. Systems IT/Architect, Georgia Institute of Technology

More information about the Freeradius-Users mailing list