Help troubleshooting No EAP session matching...
daldwinc at uwaterloo.ca
Thu Sep 15 15:57:24 CEST 2016
During periods of high load, we are seeing many messages like the following:
radiusd: rlm_eap: No EAP session matching the State variable.
I understand the meaning of the message, but I need some assistance on
how to go about locating the source of the problem.
During peak times, we have about 8K wireless logins per minute, for
extended periods. We have 6 wireless controllers, from which the
Access-Requests are sent. Due to the high load, I am unable to run the
server with -X, because it gets crushed while running single threaded. I
can use radmin, but I'm not sure what to set the debug condition to.
I don't see any errors about child processes being hung, or
winbind/ntlm_auth taking too long.
Some values which may be relevant:
radiusd.conf: max_request_time = 30
radiusd.conf: cleanup_delay = 5
radiusd.conf: max_requests = 8000000 #about 30K wireless users at peak *
256 ~= 8million
radiusd.conf: start_servers = 5
radiusd.conf: max_servers = 32
radiusd.conf: min_spare_servers = 3
radiusd.conf: max_spare_servers = 10
radiusd.conf: # max_queue_size = 65536 (unsure why this is
mods-enabled/eap: timer_expire = 60
mods-enabled/eap: cache = disabled
$ openssl speed rsa2048
Doing 2048 bit private rsa's for 10s: 5263 2048 bit private RSA's in 10.01s
Doing 2048 bit public rsa's for 10s: 176233 2048 bit public RSA's in 10.00s
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon May 2 06:13:20 EDT 2016
options:bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int)
aes(partial) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2
-g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
sign verify sign/s verify/s
rsa 2048 bits 0.001902s 0.000057s 525.8 17623.3
So, a couple questions:
1. Is there a way to get more info along with the message "rlm_eap: No
EAP session matching the State variable." ?
- eg. Which NAS it came from, calling-station-id, etc.
2. Are the aforementioned values OK?
Any advice would be appreciated.
More information about the Freeradius-Users