On 30 Sep 2013, at 18:17, John Douglass <john.dougl...@oit.gatech.edu> wrote:

> What exactly do error messages like:
> 
> Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session matching 
> the State variable.

The State attribute is returned in Access-Challenges by the RADIUS server and 
is included in subsequent Access-Requests by the NAS.
It links up all the rounds of Access-Requests/Access-Challenges required for 
EAP authentication to complete.

That error message is usually displayed when the NAS has corrupted the State 
attribute contents (unlikely). Or the EAP session associated
with the state has expired/or been lost (due to restart).

This can also happen if you have a load balancer which is spraying packets over 
multiple RADIUS servers. All packets for one EAP session need to go to the same 
EAP server. I believe this also happens where you have EAP packets following a 
different path through a proxy network, and the final node before your home 
server changes.

> Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 
> 782076 in component authenticate module peap.

peap module is taking a very long time to complete.

> Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate request from 
> client resnet1-WiSM-A port 32770 - ID: 126 due to unfinished request 187554

The server thread dealing with the original request is blocked (probably in the 
peap module), the NAS has timed out the original request, and is 
retransmitting. The server is being smart and discarding the retransmitted 
request.

> Sep 30 12:58:24 newdvlanb radiusd[10152]: Discarding conflicting packet from 
> client Rich-core-WiSM-E port 32769 - ID: 155 due to recent request 207181.

That's like the above message, but probably means a new packet with src ip, src 
port, dst ip, dst port, id that match an existing packet in the queue has been 
received, but with a different authenticator.

> Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for request 
> 782076 in component authenticate module peap.
> Sep 30 12:01:04 dvlanc radiusd[16053]: WARNING: Child is hung for request 
> 789836 in component authenticate module peap.
> Sep 30 12:01:07 dvlanc radiusd[16053]: WARNING: Child is hung for request 
> 789836 in component authenticate module peap.
> 
> An oddity is that the issues appear cross server at about the same times:
> 
> Sep 30 11:57:25 dvlanc radiusd[16053]: WARNING: Child is hung for request 
> 754502 in component authenticate module peap.
> Sep 30 11:57:36 newdvlanb radiusd[11924]: WARNING: Child is hung for request 
> 828962 in component authenticate module peap.
> 
> Any one have any similar battle scars that I can learn from (server 
> performance tweaks, optimizations, etc?). I've optimized as best I can the 
> SQL component. This all seems related to the samba/winbind/ntlm_auth.

I'll let someone else answer that one :)

Arran Cudbard-Bell <a.cudba...@freeradius.org>
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to