Problem:

Attempting to test AAA authentication via LDAP to a Windows domain Controller.

AAA Server has been removed

Authentication test to host {IP-Address} failed. Following error occurred – ERROR: Authentication Server not responding: AAA Server has been removed

Solution:

This is a terribly ambiguous error! What it means is that the ASA cannot bind to active directory, either because:

  • The ASA bind account password is wrong.
  • The ASA bind username, (or path to the user object) is wrong.
  • You have set the LDAP server group to use LDAPS (port 636) and the server specified as an LDAP  host is not authenticating via LDAPS.
  • There is no connectivity between the ASA and the LDAP server.

You can narrow it down by running the following debug:

In the following output you can see either the username or the password is wrong:

In the following output you can see the firewall is trying to connect over LDAPS but the server is not configured, (or not answering on TCP 636):

 

For us the issue had been nailed down to Active Directory Group Policies based on the following message: “A stronger authentication method is required for this server”

You you need to change the following:

  • Domain controller: LDAP server signing requirements to NONE
  • Network security:LDAP client signing requirements to NEGOTIATE

cucm_ldap_problem4

 

Reference:

https://www.petenetlive.com/KB/Article/0001271
http://mehmetyeni.com/cucm-ldap-connection-problem-error-while-connecting-to-ldapip-address389-null/