When a VIP Enterprise Gateway (VIP EG) Validation Server processes a RADIUS Access-Request, it performs a first-factor check by querying the enterprise LDAP / Active Directory user store. If the gateway cannot reach that directory — regardless of the authentication mode (ULO, UO) — it sets reason=6 in the RADIUS reply message and returns an Access-Reject to the RADIUS client.

Reason 6 is a connectivity failure, not an authentication failure. It means VIP EG could not reach the directory to even attempt credential validation — the user's password or OTP is never checked.

VIP Enterprise gateway

Release: All supported versions

The Validation Server raises reason 6 when its first-factor LDAP module encounters a directory-connectivity error during one of the following operations:

Step 1 — Verify Network Connectivity

From the VIP EG host, confirm that the LDAP port (389 or 636) is reachable on each configured directory server. A blocked firewall rule or incorrect hostname is the most common cause of reason 6.

Step 2 — Confirm Settings in the Configuration Console

Log in to the VIP EG Configuration Console. Navigate to User Stores and verify that the Host, Port, and Connection Type(SSL/TLS vs. plain-text) match the actual directory server. Use the built-in Test Connection button to confirm connectivity. If the test fails, the bind credentials or network path is the issue — address the failing point before continuing.

Step 3 — Validate the SSL Certificate Trust Store

When SSL is enabled, VIP EG verifies the LDAP server's TLS certificate . If the issuing CA certificate is missing from or has expired in that trust store, the TLS handshake fails silently and the user store is reported as inaccessible.

Step 4 — Re-enter Bind Credentials

If the LDAP service account password has been changed by the directory team, or if the VIP EG encryption key has been rotated, the stored bind password will no longer work. Re-enter the bind user Distinguished Name and password via the Configuration Console (User Stores → Edit → Connection tab). The console re-encrypts the password and saves it immediately.

Step 5 — Increase the Connection Timeout

The default connection timeout is 2 seconds. In environments where the LDAP server is on a different network segment or WAN link, this value can expire before the domain controller responds. Increase the timeout to 5–10 seconds in the Configuration Console (User Stores → Edit → Advanced tab → Timeout) and restart the Validation Server.

Step 6 — Add a Failover User Store

If your Active Directory environment has multiple domain controllers, configure a second (failover) user store pointing to a different DC. VIP EG will automatically try the next store in sequence when the primary is unreachable, preventing reason 6 from surfacing to end users during a single DC outage. Add the failover store via the Configuration Console under User Stores → Add New.

Step 7 — Verify the Base DN and User Filter

A malformed Base DN or an incorrect user filter can cause the LDAP search to return a server-side error rather than a clean "user not found" response. VIP EG treats search errors as connectivity failures, which produces reason 6. Validate that the Base DN and filter return the expected results using an LDAP browser (for example, ADSI Editon Windows or ldapsearch on Linux).

Step 8 — Check the Directory Server Health

Confirm that the target Active Directory or LDAP server is fully operational. Check the Windows Event Viewer (Directory Service log) or the system log for replication errors, NTDS service failures, or resource exhaustion. A domain controller under heavy load or in a degraded replication state may drop new connections, causing VIP EG to report the user store as inaccessible.