Kafka Exception IllegalSaslStateException
org.apache.kafka.common.errors.IllegalSaslStateException
Non-retriable
Security
This exception indicates unexpected requests prior to SASL authentication. This could be due to misconfigured security, e.g. if PLAINTEXT protocol is used to connect to a SASL endpoint.
Common Causes
- Client sent a non-SASL request (e.g., Metadata or ApiVersions) before completing the SASL handshake sequence
- Client reusing a connection after a failed authentication attempt without re-initiating the SASL handshake
- Client library bug where it sends SaslAuthenticate before SaslHandshake, violating the expected state machine
Solutions
- Upgrade the client library — this is almost always a client-side protocol implementation bug; check known issues in the library's issue tracker
- Ensure the client does not reuse connections after authentication failures; configure reconnect backoff settings
- Enable debug-level logging on the client (log4j: org.apache.kafka=DEBUG) to trace the exact request order during SASL negotiation
Example Stack Trace
org.apache.kafka.common.errors.IllegalSaslStateException: Request is not valid given the current SASL state.Diagnostic Commands
# Look for authentication errors in logs
grep 'IllegalSaslState\|ILLEGAL_SASL_STATE\|SaslHandshake\|SaslAuthenticate' /var/log/kafka/server.log | tail -30
# Verify TLS handshake to the broker
openssl s_client -connect <broker>:9093 2>&1 | head -20Related
Protocol error: ILLEGAL_SASL_STATE (code 34)
Related Security exceptions: AuthenticationException · AuthorizationException · AuthorizerNotReadyException · ClusterAuthorizationException · GroupAuthorizationException · SaslAuthenticationException · SslAuthenticationException · TopicAuthorizationException
Hitting
IllegalSaslStateException in production? Conduktor Console gives you real-time visibility into clients, consumer groups, and broker health. Browse every Kafka exception or protocol error code.