This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall reported computer not sending heartbeat signals

Hi guys,

I'm desperate for some help. We have a Sophos XG which is kicking users off the network due to the PC not sending security heartbeats. The only way to resolve the issue is to reboot the endpoint. There's no consistency to the issue it happens to random users at random times. I've checked the heartbeat log on one of the clients and get the below.

2021-08-17T08:45:51.073Z [15512: 456] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
2021-08-17T08:46:43.376Z [15512: 456] - Sending health status: {"health":3}
2021-08-17T08:46:51.240Z [15512: 456] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
2021-08-17T08:47:43.396Z [15512: 456] - Sending health status: {"health":3}

Cheers,

Josh

This thread was automatically locked due to age.

Parents

0 LHerzog over 3 years ago

is this the clients heartbeat log?

check /log/heartbeatd.log on your firewall for that time and heartbeat ID.

go to logviewer, select security heartbeat and filter the computername from the mail you received.

today we had two occourrences here, the first looked to me like the computer changed from wired to wireless network or vice versa

2021-08-17 11:04:05 WARN HBSessionHandler.cpp[23017]:123 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx
2021-08-17 11:04:06 WARN HBSessionHandler.cpp[23017]:123 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx
2021-08-17 11:04:07 WARN HBSessionHandler.cpp[23017]:123 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx
2021-08-17 11:04:08 WARN HBSessionHandler.cpp[23017]:123 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx
2021-08-17 11:04:10 WARN HBSessionHandler.cpp[23017]:123 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx
2021-08-17 11:04:10 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>: <1> -> <3>
2021-08-17 11:04:11 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>: <3> -> <1>
2021-08-17 11:04:11 INFO EndpointStorage.cpp[23017]:132 endpoint_maclist_cb - Mac list gets replaced for uuid <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>
2021-08-17 11:04:11 INFO EpStateListBroker.cpp[23017]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx(192.168.52.96)
2021-08-17 11:04:13 WARN GarnerEventHandler.cpp[23017]:56 update - got missing heartbeat notification from garner for endpoint b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx which is not in lost state
2021-08-17 11:04:15 WARN GarnerEventHandler.cpp[23017]:56 update - got missing heartbeat notification from garner for endpoint b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx which is not in lost state
2021-08-17 11:04:17 WARN GarnerEventHandler.cpp[23017]:56 update - got missing heartbeat notification from garner for endpoint b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx which is not in lost state
2021-08-17 11:04:17 WARN GarnerEventHandler.cpp[23017]:56 update - got missing heartbeat notification from garner for endpoint b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx which is not in lost state
2021-08-17 11:04:18 WARN GarnerEventHandler.cpp[23017]:56 update - got missing heartbeat notification from garner for endpoint b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx which is not in lost state
...
2021-08-17 11:04:27 WARN GarnerEventHandler.cpp[23017]:56 update - got missing heartbeat notification from garner for endpoint b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx which is not in lost state
2021-08-17 11:04:45 INFO SacProcessor.cpp[23017]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
2021-08-17 11:32:40 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>: <1> -> <3>
2021-08-17 12:09:14 INFO EndpointStorage.cpp[23017]:165 endpoint_ip_cb - Ip address gets replaced for uuid <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>
2021-08-17 12:09:14 INFO EndpointStorage.cpp[23017]:149 endpoint_timestamp_cb - Missing hearbeat timestamp gets replaced for uuid <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>
2021-08-17 12:09:14 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>: <3> -> <4>
2021-08-17 12:09:25 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx>: <4> -> <1>
2021-08-17 12:09:25 INFO EpStateListBroker.cpp[23017]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx(192.168.xxx.xxx)
2021-08-17 12:09:35 INFO ModuleStatus.cpp[23017]:138 processMessageStatus - Status request received from endpoint: b08b42d6-29f5-49c2-9cf2-xxxxxxxxxxxx (192.168.xxx.xxx) health: 1

the second was when a client renewed it's IP

2021-08-17 13:18:03 INFO EndpointStorage.cpp[23017]:165 endpoint_ip_cb - Ip address gets replaced for uuid <d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx>
2021-08-17 13:18:03 INFO EndpointStorage.cpp[23017]:149 endpoint_timestamp_cb - Missing hearbeat timestamp gets replaced for uuid <d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx>
2021-08-17 13:18:03 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx>: <3> -> <4>
2021-08-17 13:26:43 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx>: <4> -> <1>
2021-08-17 13:26:43 INFO EndpointStorage.cpp[23017]:132 endpoint_maclist_cb - Mac list gets replaced for uuid <d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx>
2021-08-17 13:26:43 INFO EpStateListBroker.cpp[23017]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx(192.168.xxx.xxx)
2021-08-17 13:26:48 INFO ModuleStatus.cpp[23017]:138 processMessageStatus - Status request received from endpoint: d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx (192.168.xxx.xxx) health: 3
2021-08-17 13:28:17 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx>: <1> -> <5>
2021-08-17 13:28:19 INFO EndpointStorage.cpp[23017]:114 endpoint_connectivity_cb - Connectivity changed for <d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx>: <5> -> <1>
2021-08-17 13:28:19 INFO EpStateListBroker.cpp[23017]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx(192.168.xxx.xxx)
2021-08-17 13:28:34 INFO ModuleStatus.cpp[23017]:138 processMessageStatus - Status request received from endpoint: d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx (192.168.xxx.xxx) health: 1
2021-08-17 13:53:27 INFO SacProcessor.cpp[23017]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <d67a499b-b1cc-4f9c-b023-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edgeupdate\134microsoftedgeupdate.exe

Reply