Authentication requests sent from Virtual Systems (VS) to 3rd party authentication servers such as LDAP, RADIUS, etc failed.
When performing a tcpdump or fw monitor on the VS, you can see that the authentication requests are coming from the physical VSX gateway (VS0) instead of the intended VS.
From the authentication servers, you can see that the authentication is being rejected due to its coming from a different IP address of VS0 instead of the configured VS IP address as the authentication client.
This is intended behavior as the default configuration of a VS is to send all of the authentication requests using the IP address of its physical gateway/clusters.
In order to solve this, you can change the configuration from the SmartConsole as below:
VS Object → Other → Legacy Authentication → Authentication Servers Accessibility (including LDAP) → select Private (servers are accessible from this Virtual System)