NetScaler is not an LDAP server or port '636' is not a LDAP port

NetScaler LDAP fails with either ‘x.x.x.x’ is not an LDAP server or port ‘636’ is not a LDAP port.

Issue Overview

You may encounter the following error message when configuring LDAP load-balancing within a NetScaler.

Server 'x.x.x.x' is reachable. port '636/tcp' is open. Either 'x.x.x.x' is not an LDAP server or port '636' is not a LDAP port.

is not an LDAP server or port ‘636’ is not a LDAP port

One reason that this most likely occurs, is that you have configured a load-balancer virtual server to load-balance one or more LDAP servers and have attached an LDAP monitor using the nsldap.pl script.

This monitor utilizes the NetScaler management IP (NSIP) for connecting to the LDAP servers and verifying that the service is available.
Credit to Carl Stalhood mentioning this functionality and option to use SNIP.

It is also possible that the NSIP has access to reach the LDAP servers, thus when viewing the status of the load-balanced virtual server, it displays as UP.

But when you are trying to test connectivity in the Authentication, Dashboard, you receive the above error.

Troubleshooting

Although the monitor utilizes the NSIP, the virtual server is using the Subnet IP (SNIP) for traffic. As such, you need to ensure that the SNIP has access to the LDAP servers on port tcp 636.

One quick way to test whether the SNIP has access to the LDAP servers, is to simply un-bind the LDAP monitor and verify whether the server is still UP.

Server is a valid LDAP server

References

Domain Controller (LDAPS) Load Balancing

Configure to source NetScaler FreeBSD data traffic from a SNIP address