No EAP session matching the State variable (and other various messages)

Arran Cudbard-Bell a.cudbardb at freeradius.org
Mon Sep 30 19:52:47 CEST 2013 

On 30 Sep 2013, at 18:17, John Douglass <john.douglass at oit.gatech.edu> wrote:

> What exactly do error messages like:
> 
> Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session matching the State variable.

The State attribute is returned in Access-Challenges by the RADIUS server and is included in subsequent Access-Requests by the NAS.
It links up all the rounds of Access-Requests/Access-Challenges required for EAP authentication to complete.

That error message is usually displayed when the NAS has corrupted the State attribute contents (unlikely). Or the EAP session associated
with the state has expired/or been lost (due to restart).

This can also happen if you have a load balancer which is spraying packets over multiple RADIUS servers. All packets for one EAP session need to go to the same EAP server. I believe this also happens where you have EAP packets following a different path through a proxy network, and the final node before your home server changes.

> Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap.

peap module is taking a very long time to complete.

> Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554

The server thread dealing with the original request is blocked (probably in the peap module), the NAS has timed out the original request, and is retransmitting. The server is being smart and discarding the retransmitted request.

> Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181.

That's like the above message, but probably means a new packet with src ip, src port, dst ip, dst port, id that match an existing packet in the queue has been received, but with a different authenticator.

> Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 782076 in component authenticate module peap.
> Sep 30 12:01:04 dvlanc radiusd[16053]: WARNING: Child is hung for request 789836 in component authenticate module peap.
> Sep 30 12:01:07 dvlanc radiusd[16053]: WARNING: Child is hung for request 789836 in component authenticate module peap.
> 
> An oddity is that the issues appear cross server at about the same times:
> 
> Sep 30 11:57:25 dvlanc radiusd[16053]: WARNING: Child is hung for request 754502 in component authenticate module peap.
> Sep 30 11:57:36 newdvlanb radiusd[11924]: WARNING: Child is hung for request 828962 in component authenticate module peap.
> 
> Any one have any similar battle scars that I can learn from (server performance tweaks, optimizations, etc?). I've optimized as best I can the SQL component. This all seems related to the samba/winbind/ntlm_auth.

I'll let someone else answer that one :)

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list