Health checks for the authentication realms are showing "Check Failed" or "Health check has failed"
Depending on where you are in the GUI you will see
Health check has failed
or
Check failed
In the eventlog you may see errors similar to
2019-07-05 15:50:14+01:00BST "Schannel (reralm_name): Resetting Schannel due to error: 0xC0000001(-1073741823), DC: WIN-pc.example.com" 0 250042:1 lw_schannel.cpp:829
2019-07-05 15:50:14+01:00BST "Authentication failed with 9502 (0x0000251E) (symbol: 'A bad packet was received from a DNS server. Potentially the requested address does not exist.'): user 'user' (domain DomainName) - user considered 'unknown'" 0 250017:96 lw_schannel.cpp:609
Note: Having many failed authentication connections can also lead to reaching Maximum concurrent connections as well as other Edge SWG (ProxySG) bottlenecks.
IWA direct set up with either Kerberos and/or NTLM
This article will also help with BCAAA authentication realms
Typically these errors are due to connectivity issues, either physical (firewall blocking or DC unreachable) or logical errors such as DNS issues or Edge SWG (ProxySG) configuration issues
It's important to note that authentication health checks assess the realm's health using data maintained by the realm during active use.
Authentication health checks do not probe the authentication server with an authentication request.
See Authentication health check failure for more details
As such running pcaps while performing an authentication health check will not help diagnose the issue.
Things to check include
Contact Broadcom Technical Support, if you have further related queries, or require additional checks.