Guidance on troubleshooting a BCAAA health check failure

1. Check whether Edge SWG (ProxySG) is configured to communicate with the server running BCAAA via an IP address or a hostname in the Authentication > IWA > Servers tab.

    If a hostname is configured: Check if your internal DNS server (which the Edge SWG points to) can resolve to the hostname to an accessible IP address 

       a. Refer to Basic DNS Troubleshooting in Edge SWG to check if DNS server is able to resolve to the BCAAA IP address.

       b. Check the DNS server to determine if the BCAAA server hostname fails to resolve to the correct IP address.

    if pointed via IP address: Start a PCAP on Edge SWG, filtered on the BCAAA IP address, (host ###.###.###.###, replacing the #s with the IP of the BCAAA server) then run a health check to further determine the issue. (See steps below)

        a. In Management console, navigate to Maintenance - Service Information - Packet capture 

        b. Apply the following filter and start capture with option "capture all matching packets"
               Ip host <BCAAA IP>

        c. Run BCAAA health check by going to Administration > Health Checks & Monitoring > Health Checks and click on "Perform health check" under the Actions column.

        d. Stop packet capture once you see health check failure

Tips. Look for signs of requests not having any response in the PCAP to further determine the issue.

2. Check if packets from Edge SWG to BCAAA server are reachable and vice versa (run PCAP to find out) 

3. Check if BCAAA service is turned on. (look for BCAAA in output from command services.msc issued in "start" - "run")