• Access to the NSX Manager UI fails with a "503 Service Unavailable" error. 
• NSX Manager API requests return 503 errors with the UAEX (Upstream Auth Exception) flag timing out consistently at 60 seconds:
  /var/log/proxy/envoy_access_log.txt
  

  <Timestamp> <IP> <NSX Manager IP> "GET" "/api/v1/transport-nodes/<Transport Node UUID>/network/interfaces/vmk1/stats?source=cached" "HTTP/1.1" 503 UAEX 0 0 60000 - "<IP>" "vAPI/2.14.0 Java/11.0.28 (Linux; 6.1.143-3.ph5; amd64)" "cf######-####-####-####-########d3" "<IP>" "-"

• The internal request timestamps match the Envoy 503 errors within milliseconds, confirming that the authentication layer is blocking:
  /var/log/proxy/reverse-proxy.log
  

  <Timestamp> INFO ... HttpClientUtil ... Making request to http://127.0.0.1:6565/api/v1/node
  <Timestamp> INFO ... HttpClientUtil ... Making request to http://127.0.0.1:6565/api/v1/node

• External LDAP is configured with StartTLS on port 389 with 5000ms timeouts configured (as an example):
  /var/log/proxy/reverse-proxy.log
  

  <Timestamp> ... Populated ldap mappings {<Base DN>=LdapResourceConfig [..., useStarttls=true, url=LDAP://<LDAP Server>:389, ...]}
  <Timestamp> ... Using LDAP timeout values of connectTimeout: 5000ms and readTimeout: 5000ms.

• LDAP TLS negotiation failures observed:
  /var/log/proxy/localhost.log
  

  Connection Reset errors during TLS handshake:
  <Timestamp> SEVERE org.apache.catalina.core.StandardWrapperValve invoke Servlet.service() for servlet [default] in context with path [] threw exception
  org.springframework.ldap.UncategorizedLdapException: Failed to negotiate TLS session; nested exception is java.net.SocketException: Connection reset
  
  Connection Timed Out errors:
  <Timestamp> SEVERE org.springframework.ldap.UncategorizedLdapException: Failed to negotiate TLS session; nested exception is java.net.SocketException: Connection timed out
  
  LDAP Read Timeout :
  <Timestamp> SEVERE org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: LDAP response read timed out, timeout used: 5000 ms.; remaining name '<Base DN>'

VMware NSX

The external LDAP server is unresponsive or delayed during the TLS handshake.  Envoy waits 60 seconds (default upstream timeout of the Envoy proxy) for auth server to respond. If no response is received Envoy terminates the connection and returns a 503 UAEX error. 

This is a condition that may occur in a VMware NSX environment.

The permanent resolution requires addressing the latency or handshake failures on the external LDAP/Identity Provider infrastructure:

• Ensure that the LDAP server is reachable and performing within the configured connectTimeout and readTimeout (default 5000ms).
• Inspect firewalls or load balancers between NSX Managers and LDAP servers for TCP resets or dropped packets during StartTLS negotiation.
• Ensure the LDAP server properly supports StartTLS on port 389 and that the certificate chain is valid.

Workaround
If the UI is inaccessible and an immediate restoration of service is required, restart the authentication service on the affected NSX Manager(s):

• Log in to the NSX Manager CLI as admin and run the following command:  restart service auth