Problem:
Attempting to test AAA authentication via LDAP to a Windows domain Controller.
Authentication test to host {IP-Address} failed. Following error occurred – ERROR: Authentication Server not responding: AAA Server has been removed
Solution:
This is a terribly ambiguous error! What it means is that the ASA cannot bind to active directory, either because:
- The ASA bind account password is wrong.
- The ASA bind username, (or path to the user object) is wrong.
- You have set the LDAP server group to use LDAPS (port 636) and the server specified as an LDAP host is not authenticating via LDAPS.
- There is no connectivity between the ASA and the LDAP server.
You can narrow it down by running the following debug:
In the following output you can see either the username or the password is wrong:
|
ASA(config)# debug ldap 255 debug ldap enabled at level 255 [-2147483629] Session Start [-2147483629] New request Session, context 0x00007fffbcc69c88, reqType = Authentication [-2147483629] Fiber started [-2147483629] Creating LDAP context with uri=ldap://192.168.110.10:389 [-2147483629] Connect to LDAP server: ldap://192.168.110.10:389, status = Successful [-2147483629] supportedLDAPVersion: value = 3 [-2147483629] supportedLDAPVersion: value = 2 [-2147483629] Binding as asa [-2147483629] Performing Simple authentication for asa to 192.168.110.10 [-2147483629] Simple authentication for asa returned code (49) Invalid credentials [-2147483629] Failed to bind as administrator returned code (-1) Can't contact LDAP server [-2147483629] Fiber exit Tx=207 bytes Rx=720 bytes, status=-2 [-2147483629] Session End |
In the following output you can see the firewall is trying to connect over LDAPS but the server is not configured, (or not answering on TCP 636):
|
ASA(config)# debug ldap 255 debug ldap enabled at level 255 [-2147483625] Session Start [-2147483625] New request Session, context 0x00007fffbcc69c88, reqType = Authentication [-2147483625] Fiber started [-2147483625] Creating LDAP context with uri=ldaps://192.168.110.10:636 [-2147483625] Connect to LDAP server: ldaps://192.168.110.10:636, status = Failed [-2147483625] Unable to read rootDSE. Can't contact LDAP server. [-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 [-2147483625] Session End |
For us the issue had been nailed down to Active Directory Group Policies based on the following message: “A stronger authentication method is required for this server”
You you need to change the following:
- Domain controller: LDAP server signing requirements to NONE
- Network security:LDAP client signing requirements to NEGOTIATE
Reference:
https://www.petenetlive.com/KB/Article/0001271
http://mehmetyeni.com/cucm-ldap-connection-problem-error-while-connecting-to-ldapip-address389-null/