Troubleshooting steps for failed authentication health checks
search cancel

Troubleshooting steps for failed authentication health checks

book

Article ID: 175348

calendar_today

Updated On: 02-10-2025

Products

ProxySG Software - SGOS

Issue/Introduction

Health checks for the authentication realms are showing "Check Failed" or "Health check has failed"

Depending on where you are in the GUI you will see

Health check has failed

or

Check failed

In the eventlog you may see errors similar to

2019-07-05 15:50:14+01:00BST  "Schannel (reralm_name): Resetting Schannel due to error: 0xC0000001(-1073741823), DC: WIN-pc.example.com"  0 250042:1  lw_schannel.cpp:829
2019-07-05 15:50:14+01:00BST  "Authentication failed with 9502 (0x0000251E) (symbol: 'A bad packet was received from a DNS server. Potentially the requested address does not exist.'): user 'user' (domain DomainName) - user considered 'unknown'"  0 250017:96  lw_schannel.cpp:609

Note: Having many failed authentication connections can also lead to reaching Maximum concurrent connections as well as other Edge SWG (ProxySG) bottlenecks.

Environment

IWA direct set up with either Kerberos and/or NTLM

This article will also help with BCAAA authentication realms

Cause

Typically these errors are due to connectivity issues, either physical (firewall blocking or DC unreachable) or logical errors such as DNS issues or Edge SWG (ProxySG) configuration issues

It's important to note that authentication health checks assess the realm's health using data maintained by the realm during active use.

Authentication health checks do not probe the authentication server with an authentication request.  

See Authentication health check failure for more details

As such running pcaps while performing an authentication health check will not help diagnose the issue.

 

 

 

Resolution

 Things to check include

  1. Check the configuration of the realm, this is especially important if this is the first time the realm has ben configured

  2. Confirm the Edge SWG (ProxySG) has access to the network where the authentication servers reside.

  3. Check for errors in the eventlog

  4. Go to "Configuration > Realms and Domains > click the realm in question from the list, and then click on "Test Configuration". If this returns an error, run the same test, while running a PCAP on the Edge SWG (ProxySG), with the IP address(es) of the integrated authentication servers, for IWA_Direct, or the IP address of the BCAAA server, for IWA_BCAAA, as well as the relevant listening ports, as filters. Ensure the user you are testing with actually exists in the realm and is active

  5. Additionally, with BCAAA, you may collect and check the following data:
    • The BCAAA debug log

    • Exported BCAAA application log, from the event viewer, on the BCAAA server. This data will include unique BCAAA message IDs, and can be interpreted the guidance in the Tech. Article with the URL below.
      BCAAA Event ID Explanations

Contact Broadcom Technical Support, if you have further related queries, or require additional checks.