Kafka Error ILLEGAL_SASL_STATE
Error code 34 · Non-retriable Security
Request is not valid given the current SASL state.
Common Causes
- Client sent a non-SASL request (e.g., Metadata or ApiVersions) before completing the SASL handshake sequence
- Client reusing a connection after a failed authentication attempt without re-initiating the SASL handshake
- Client library bug where it sends SaslAuthenticate before SaslHandshake, violating the expected state machine
Solutions
- Upgrade the client library — this is almost always a client-side protocol implementation bug; check known issues in the library's issue tracker
- Ensure the client does not reuse connections after authentication failures; configure reconnect backoff settings
- Enable debug-level logging on the client (log4j: org.apache.kafka=DEBUG) to trace the exact request order during SASL negotiation
Diagnostic Commands
# Look for authentication errors in logs
grep 'IllegalSaslState\|ILLEGAL_SASL_STATE\|SaslHandshake\|SaslAuthenticate' /var/log/kafka/server.log | tail -30
# Verify TLS handshake to the broker
openssl s_client -connect <broker>:9093 2>&1 | head -20Related APIs
This error can be returned by: SaslAuthenticate · SaslHandshake
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.