KB ID 0001271
Problem
Seen while attempting to test AAA authentication via LDAP to a Windows domain Controller.
Authentication test to host {IP-Address} failed. Following error occurred –
ERROR: Authentication Server not responding: AAA Server has been removed
Solution
This is a terribly ambiguous error! What it means is that the ASA cannot bind to active directory, either because;
- The ASA bind account password is wrong.
- The ASA bind username, (or path to the user object) is wrong.
- You have set the LDAP server group to use LDAPS (port 636) and the server specified as an LDAP host is not authenticating via LDAPS.
- There is no connectivity between the ASA and the LDAP server.
You can narrow it down by running the following debug;
[box]debug ldap 255[/box]
In the following output you can see either the username or the password is wrong;
[box]
Petes-ASA(config)# debug ldap 255 debug ldap enabled at level 255 [-2147483629] Session Start [-2147483629] New request Session, context 0x00007fffbcc69c88, reqType = Authentication [-2147483629] Fiber started [-2147483629] Creating LDAP context with uri=ldap://192.168.110.10:389 [-2147483629] Connect to LDAP server: ldap://192.168.110.10:389, status = Successful [-2147483629] supportedLDAPVersion: value = 3 [-2147483629] supportedLDAPVersion: value = 2 [-2147483629] Binding as asa [-2147483629] Performing Simple authentication for asa to 192.168.110.10 [-2147483629] Simple authentication for asa returned code (49) Invalid credentials [-2147483629] Failed to bind as administrator returned code (-1) Can't contact LDAP server [-2147483629] Fiber exit Tx=207 bytes Rx=720 bytes, status=-2 [-2147483629] Session End
[/box]
In the following output you can see the firewall is trying to connect over LDAPS but the server is not configured, (or not answering on TCP 636);
[box]
Petes-ASA(config)# debug ldap 255 debug ldap enabled at level 255 [-2147483625] Session Start [-2147483625] New request Session, context 0x00007fffbcc69c88, reqType = Authentication [-2147483625] Fiber started [-2147483625] Creating LDAP context with uri=ldaps://192.168.110.10:636 [-2147483625] Connect to LDAP server: ldaps://192.168.110.10:636, status = Failed [-2147483625] Unable to read rootDSE. Can't contact LDAP server. [-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 [-2147483625] Session End
[/box]
Related Articles, References, Credits, or External Links
Cisco – Testing AAA Authentication (Cisco ASA and IOS)
Cisco ASA – AnyConnect Authentication via LDAP and Domain User Groups