Failed Authentication: Too many connects

[rakrak98]

What does this error indicate? The logic of my application is that I have 2 producer and one consumer running in parallel with eachother, is that what may be causing this issue? This is the first time I have seen this error:

22:03:32.012 [kafka-producer-network-thread | producer-1] INFO org.apache.kafka.common.network.Selector - [Producer clientId=producer-1] Failed authentication with example.kafka.us-east-1.amazonaws.com/10.1.1.132 ([446c81dc-9ab3-4d4b-b174-4ecd9baa406c]: Too many connects)
22:03:32.046 [kafka-producer-network-thread | producer-1] ERROR org.apache.kafka.clients.NetworkClient - [Producer clientId=producer-1] Connection to node -1 (example.kafka.us-east-1.amazonaws.com/10.1.1.132:9098) failed authentication due to: [446c81dc-9ab3-4d4b-b174-4ecd9baa406c]: Too many connects

[liko9]

This error is the result of too many connection requests at the same time given your broker's instance size. You probably want to set reconnect.backoff.ms to something higher than default. See this link for some information: https://docs.aws.amazon.com/msk/latest/developerguide/limits.html

[sayantacC]

"Too many connects" is a sign that one or more IAM clients are trying to connect to a particular broker too many times per second and the broker is protecting itself.
What is the size of broker on the cluster (t3.small / m5.xl ...) ?
What is the reconnect.backoff.ms set to on the clients ? Setting this higher should help clients backoff and retry connections such that the broker does not need to reject new connections because of the connection rate.

Please note this error is not about the total number of connections per broker but the rate of new IAM connections per broker.
See https://docs.aws.amazon.com/msk/latest/developerguide/limits.html for the limit on the rate of new IAM connections per broker for different broker sizes.

[rakrak98]

@sayantacC @liko9 Thanks a lot for the detailed answer! Making this change worked for me. Maybe I missed it, but was this limits page referenced in the IAM documentation? I think it would be helpful to have that. Thanks again!

[TheSuperAgent]

I have increased this value, but still getting the error. Im running kafka connect in distributed mode. And this is the error from the kafka connect service.

org.apache.kafka.connect.errors.ConnectException: Failed to connect to and describe Kafka cluster. Check worker's broker connection and security properties.
        at org.apache.kafka.connect.util.ConnectUtils.lookupKafkaClusterId(ConnectUtils.java:70)
        at org.apache.kafka.connect.util.ConnectUtils.lookupKafkaClusterId(ConnectUtils.java:51)
        at org.apache.kafka.connect.storage.KafkaOffsetBackingStore.configure(KafkaOffsetBackingStore.java:86)
        at org.apache.kafka.connect.cli.ConnectDistributed.startConnect(ConnectDistributed.java:112)
        at org.apache.kafka.connect.cli.ConnectDistributed.main(ConnectDistributed.java:80)
Caused by: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SaslAuthenticationException: [b823641a-a49b-4326-80bd-4c4a00b4e375]: Too many connects
        at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
        at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
        at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
        at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
        at org.apache.kafka.connect.util.ConnectUtils.lookupKafkaClusterId(ConnectUtils.java:64)
        ... 4 more
Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: [b823641a-a49b-4326-80bd-4c4a00b4e375]: Too many connects

[sayantacC]

@BhuviTheDataGuy The number of kafka connect workers will increase the rate of new connections to the kafka brokers. Depending on the number of kafka connect workers you have, you might need to set the reconnect.backoff.ms even higher. What is the number of workers in your setup and the value of reconnect.backoff.ms ?
What is the type of broker you are using ? (t3.small / m5.xl)

[TheSuperAgent]

Instance type - t3.small(2 broker)
rexonnext.backoff.ms 100000

[sayantacC]

@BhuviTheDataGuy Sorry for the delayed response. If you update the broker type to a larger instance, does the problem go away ?

[mfbieber]

We are encountering the same problems. Setting reconnect.backoff.ms to e.g. 10000 doesn't make a difference, since the exception that is being thrown (SaslAuthenticationException) is not retryable (see https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/clients/admin/KafkaAdminClient.java#L808) and ultimately leads to a new creation of a client, not a reconnect.

When would the reconnect take place? As I went through the implementation, what I see is:

1. that startConnect() in ConnectDistributed is calling the constructor of Worker
2. the constructor of Worker calls ConnectUtils.lookupKafkaClusterId(config)
3. that method calls Admin.create(config.originals())
4. if you follow the calls from there, you will see that you end up not retrying upon obtaining SaslAuthenticationException (https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/clients/admin/KafkaAdminClient.java#L808)

Even if the retry would work, several AdminClients are created, which all connect to the MSK cluster. Since this is not a reconnect, reconnect.backoff.ms settings cannot work for remediation. There is no mechanism in the Kafka code that would globally allow restricting these connections to happen only every x seconds. Unless I oversee something, MSK Connect should only work by chance with t3.small instances.

So either AWS removes the limit on t3.small for IAM connections or the Kafka clients throw a different exception :-/

See parts of our logs using AWS MSK Connect:

[Worker-05ea3408948fa0a4c] [2022-01-01 22:41:53,059] INFO Creating Kafka admin client (org.apache.kafka.connect.util.ConnectUtils:49)
[Worker-05ea3408948fa0a4c] [2022-01-01 22:41:53,061] INFO AdminClientConfig values:
...
[Worker-05ea3408948fa0a4c] 	reconnect.backoff.max.ms = 10000
[Worker-05ea3408948fa0a4c] 	reconnect.backoff.ms = 10000
[Worker-05ea3408948fa0a4c] 	request.timeout.ms = 30000
[Worker-05ea3408948fa0a4c] 	retries = 2147483647
[Worker-05ea3408948fa0a4c] 	retry.backoff.ms = 10000
...
[Worker-05ea3408948fa0a4c] [2022-01-01 22:41:54,269] ERROR Stopping due to error (org.apache.kafka.connect.cli.ConnectDistributed:86)
[Worker-05ea3408948fa0a4c] org.apache.kafka.connect.errors.ConnectException: Failed to connect to and describe Kafka cluster. Check worker's broker connection and security properties.
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.connect.util.ConnectUtils.lookupKafkaClusterId(ConnectUtils.java:70)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.connect.util.ConnectUtils.lookupKafkaClusterId(ConnectUtils.java:51)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.connect.runtime.Worker.<init>(Worker.java:140)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.connect.runtime.Worker.<init>(Worker.java:127)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.connect.cli.ConnectDistributed.startConnect(ConnectDistributed.java:118)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.connect.cli.ConnectDistributed.main(ConnectDistributed.java:80)
[Worker-05ea3408948fa0a4c] Caused by: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.SaslAuthenticationException: [e4afe53f-73b5-4b94-9ac3-30d737071e56]: Too many connects
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.common.internals.KafkaFutureImpl.wrapAndThrow(KafkaFutureImpl.java:45)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.common.internals.KafkaFutureImpl.access$000(KafkaFutureImpl.java:32)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.common.internals.KafkaFutureImpl$SingleWaiter.await(KafkaFutureImpl.java:89)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.common.internals.KafkaFutureImpl.get(KafkaFutureImpl.java:260)
[Worker-05ea3408948fa0a4c] 	at org.apache.kafka.connect.util.ConnectUtils.lookupKafkaClusterId(ConnectUtils.java:64)
[Worker-05ea3408948fa0a4c] 	... 5 more
[Worker-05ea3408948fa0a4c] Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: [e4afe53f-73b5-4b94-9ac3-30d737071e56]: Too many connects
[Worker-05ea3408948fa0a4c] [2022-01-01 22:41:54,281] INFO Stopped http_0.0.0.08083@68631b1d{HTTP/1.1, (http/1.1)}{0.0.0.0:8083} (org.eclipse.jetty.server.AbstractConnector:381)
[Worker-05ea3408948fa0a4c] [2022-01-01 22:41:54,283] INFO Stopped https_0.0.0.08443@611d0763{SSL, (ssl, http/1.1)}{0.0.0.0:8443} (org.eclipse.jetty.server.AbstractConnector:381)
[Worker-05ea3408948fa0a4c] MSK Connect encountered errors and failed.

Since this forces us to use the m5.large instance or not use IAM, I wrote this question in the AWS re:Post site to hopefully obtain help from the AWS community on this: https://repost.aws/questions/QU3qd8DVjTR4qHH_4Zf4KtuA/msk-connect-on-t-3-small-fails-due-to-not-retryable-sasl-authentication-exception-reconnect-backoff-ms-worker-configuration-will-not-help-can-aws-remove-the-connection-limit

[liko9]

@mfbieber What do your Kafka Connect configurations look like? Obviously, please mask anything sensitive, but I'm keenly interested in how you are setting the backoff parameter. One element of Kafka Connect which isn't immediately obvious is the number of different contexts it runs within. In my testing, I had to set the backoff for two additional contexts - Producer and Consumer. From what you shared, it appears that your AdminClientConfig took the parameter as expected, but I'd be curious to see if the others did as well (my guess is that they did not). Also, you are referencing trunk in your code investigation - did you compile the latest version from trunk yourself, or are you using a specific version of Apache Kafka?
In my successful tests against a t3.small MSK cluster, I had the following parameters set:

reconnect.backoff.ms=1000
reconnect.backoff.max.ms=60000
producer.reconnect.backoff.ms=1000
producer.reconnect.backoff.max.ms=60000
consumer.reconnect.backoff.ms=1000
consumer.reconnect.backoff.max.ms=60000

I believe this is because the default of the backoff timing is 50ms, which is way too quick for MSK using IAM. I also set the backoff.max.ms higher than my backoff.ms so that it could happen more than once instead of failing immediately. (reference: https://kafka.apache.org/documentation/#producerconfigs_reconnect.backoff.max.ms)

[mfbieber]

Hi @liko9 , thanks for your interest and your answer! I tried your configuration, but I am seeing the same errors as before with this worker configuration:

  key.converter=org.apache.kafka.connect.storage.StringConverter
  value.converter=org.apache.kafka.connect.storage.StringConverter
  reconnect.backoff.ms=10000
  reconnect.backoff.max.ms=60000
  producer.reconnect.backoff.ms=10000
  producer.reconnect.backoff.max.ms=60000
  consumer.reconnect.backoff.ms=10000
  consumer.reconnect.backoff.max.ms=60000

Also, because I am unsure of how to configure the connector, I added those values to the connector configuration (where should they actually go? I would have thought the worker, but I am just starting out with Kafka):

{
  "connector.class": "io.confluent.connect.s3.S3SinkConnector",
  "flush.size": "2",
  "format.bytearray.extension": ".txt",
  "format.class": "io.confluent.connect.s3.format.bytearray.ByteArrayFormat",
  "locale": "en-US",
  "partitioner.class": "io.confluent.connect.storage.partitioner.DailyPartitioner",
  "retry.backoff.ms": "10000",
  "reconnect.backoff.ms": "10000",
  "reconnect.backoff.max.ms": "60000",
  "producer.reconnect.backoff.ms": "10000",
  "producer.reconnect.backoff.max.ms": "60000",
  "consumer.reconnect.backoff.ms": "10000",
  "consumer.reconnect.backoff.max.ms": "60000",
  "s3.bucket.name": "${s3_destination_bucket}",
  "s3.compression.type": "gzip",
  "s3.part.retries": "10",
  "s3.region": "${region}",
  "s3.retry.backoff.ms": "10000",
  "storage.class": "io.confluent.connect.s3.storage.S3Storage",
  "tasks.max": "1",
  "timestamp.extractor": "Record",
  "timezone": "UTC",
  "topics": "${topics}",
  "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter"
}

In the connector log, I also see:

...
[Worker-0a0d8cc42ea8ff79d] [2022-01-04 22:13:29,076] WARN The configuration 'consumer.reconnect.backoff.ms' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig:369)
...
[Worker-0a0d8cc42ea8ff79d] [2022-01-04 22:13:29,080] WARN The configuration 'consumer.reconnect.backoff.max.ms' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig:369)
...
[Worker-0a0d8cc42ea8ff79d] [2022-01-04 22:13:29,088] WARN The configuration 'producer.reconnect.backoff.max.ms' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig:369)
...
[Worker-0a0d8cc42ea8ff79d] [2022-01-04 22:13:29,089] WARN The configuration 'producer.reconnect.backoff.ms' was supplied but isn't a known config. (org.apache.kafka.clients.admin.AdminClientConfig:369)
...

From what you shared, it appears that your AdminClientConfig took the parameter as expected, but I'd be curious to see if the others did as well (my guess is that they did not).

I believe I am seeing the AdminClientConfig only. That one is crashing (as described) and I believe that prevents any producers and consumers from being started maybe?

Also, you are referencing trunk in your code investigation - did you compile the latest version from trunk yourself, or are you using a specific version of Apache Kafka?

The Kafka Connect version is 2.7.1 and the cluster's Kafka version is 2.8.1.
We didn't compile anything, we are using the managed MSK for the Kafka Cluster and configuring the connector via the AWS CLI, providing a bunch of JSON data to configure everything.
We simply checked out the code and wanted to understand why the AdminClient connects that often. We wanted to see if there is a retry upon rejection because of the IAM limitation and if the reconnect mechanism is wrapped around those AdmiClient creations with their connection attempts.

I believe it is easier if you see the full Kafka Connect Worker log, I've attached it here. That contains no production-relevant information:
20220104T2210Z_2dda6191.log.gz

I really hope that I am missing something in the configuration.

[liko9]

@mfbieber First off, thank you for your detailed descriptions and full logs. If more people were willing to provide that, it would make troubleshooting far, far easier.

I previously overlooked that you are using MSK Connect. I do see in the logs the same as you, that the AdminClientConfig has accepted the parameters you provided, and these do match my working configuration. However, my working configuration not from MSK Connect but rather Kafka Connect running on an EC2 instance (created prior to the availability of MSK Connect).

You are correct that because the AdminClient is unable to check its topics (the config, offsets, and storage topics) in MSK due to the "too many connects" error, it is not continuing to where the producer or consumer are initialized.

There is an automatic retry / reconnection attempt that the reconnect.backoff parameters are used by. I'm at a loss as to why this isn't working within MSK Connect - I'd suggest opening a support case to see if the service team can see anything that we're not seeing in the logs.

The parameters are worker level parameters (not connector parameters), so you did that in the proper place. The two things you could try while you're waiting on support are to try to set reconnect.backoff.ms to 10000 (make it 10s instead of 1s - this is a totally silly idea but it might be interesting if the behavior changes) or you could try running Kafka Connect yourself in EC2. I'm sorry that I couldn't be of further help.

[Gatsby-Lee]

Hello All,

I am having this issue as well.

(Not working) Test1: t3.small + no custom config for reconnect.backoff

I reached out to AWS Support. And, I was told that the issue is related to the TCP connection limit.
( https://docs.aws.amazon.com/msk/latest/developerguide/limits.html )
AWS Support asked me to increase the instance type to m5.large ( why? )
I was not convinced since I only use one MSK connector ( using IAM ).

(Not working) Test2: t3.small + overriding these reconnect.backoff

• producer.reconnect.backoff.max.ms=1200000
• producer.reconnect.backoff.ms=1000

I wasn't convinced by what AWS support said, so I tried with the updated config.
However, it failed with these log. And I googled the error and got here.

[Worker-0e73633c0bd7070df] Caused by: org.apache.kafka.common.errors.SaslAuthenticationException: [551e2ed2-38d0-4069-aefa-26fb70ee52ed]: Too many connects

Honestly, it doesn't make sense that I have to increase the machine type because t3.small can't handle IAM auth request from one MSK connector.

[sayantacC]

Although, sadly I do not yet have a solution to offer, I want to reopen the issue to raise visibility.