• NSX is installed in version 4.1.0 or above.
• The following error occurs while establishing a secure connection with the LDAP server:
  
  
  
  
• LDAPS (default port 636) or LDAP with StartTLS does not work.
• Logs (/var/log/proton/policy-ui.log, /var/log/syslog, or /var/log/proton/nsxapi.log) show:
  

  Error: Unable to obtain server certificate. Communication error. Verify that the IP address/hostname, port, and other parameters are correct. (Error code: 53000)

• Identity Firewall (IDFW) status is shown as DOWN for the configured LDAP server.

• LDAP (port 389) is not affected.
• From NSX Manager connection to LDAPS server on port 636 is successful:

  nc -vz <ldaps-server> 636

• Packet capture on NSX Manager shows a connection reset from the LDAP server during the connection status check.
• LDAP authentication may work, but the Check Status button fails (Note: This specific UI behavior is resolved in VMware NSX 4.2.0 

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

This behavior occurs because older, insecure TLS cipher suites were disabled in NSX 4.1 and higher to enhance security posture.

Connections fail if the LDAP server does not support the secure cipher suites required by the NSX Proton service or if it uses TLS versions earlier than 1.2.

NSX no longer supports TLS versions 1.1 and earlier by default.

This is a condition that may occur in a VMware NSX environment.

• Ensure the LDAPS, or LDAP with the StartTLS server, uses a supported secure cipher suite as listed below.

If you believe you have encountered this issue and are unable to upgrade the LDAPS or LDAP with StartTLS server cipher suite at this time, please open a support case with Broadcom Support and refer to this KB article.
For more information, see Creating and managing Broadcom support cases.

Cipher suites used by VMware NSX 4.1 and above:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Cipher suites used by VMware NSX 4.2 and above:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_AES_256_GCM_SHA384
• TLS_AES_128_GCM_SHA256

Cipher suites used by previous versions of VMware NSX:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_GCM_SHA256

The below packet capture shows the client hello from VMware NSX manager sending the two cipher suites: