What to check when IWA health check is failing ?


Article ID: 167375


Updated On:


ProxySG Software - SGOS


1. Check whether ProxySG is configured to communicate with the server running BCAAA via an IP address or a hostname in the Authentication > IWA > Servers tab.

    If a hostname is configured: Check if your internal DNS server (which the ProxySG points to) can resolve to the hostname to an accessible IP address 

       a. Refer to  000008055 to check if DNS server is able to resolve to the BCAAA IP address.

       b. Check the DNS server to determine if the BCAAA server hostname fails to resolve to the correct IP address.

    if pointed via IP address: Start a PCAP on ProxySG, filtered on the BCAAA IP address, (host, replacing the IP address with that of the BCAAA server) then run a health check to further determine the issue. (See steps below)

        a. In Management console, navigate to Maintenance - Service Information - Packet capture 

        b. Apply the following filter and start capture with option "capture all matching packets"
               Ip host <BCAAA IP>

        c. Run BCAAA health check by selecting the failed IWA health check entry and click on "Perform health check" from Managment console - Configuration - Health Checks - General

        d. Stop packet capture once you see health check failure error as below

Tips. Look for signs of requests not having any response in the PCAP to further determine the issue.

2. Check if packets from ProxySG to BCAAA server are reachable and vice versa (run PCAP to find out) 

3. Check if BCAAA service is turned on. (look for BCAAA in output from command services.msc issued in "start" - "run")