Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 1884 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No heartbeat sessions - SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error

LHerzog

At a small remote remote site, there is a XG HA pair. Since Aug 22 Heartbeat is no longer working there.


XG106_XN01_SFOS 18.0.5 MR-5-Build586


We receive an informational mail on the same day (Aug 22) :


So 22.08.2021 02:11
You are receiving this auto-generated message from Sophos Notification system to inform you about your Sophos Security Heartbeat server certificate was about to expire but had been successfully refreshed.

In heartbeatd.log I see SSL only errors since 22. Aug.

2021-08-23 10:41:09 WARN HBSession.cpp[30380]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.25 failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error
2021-08-23 10:41:15 INFO HBSessionHandler.cpp[30380]:108 removeDirtySessions - Number of sessions: 0
2021-08-23 10:41:15 WARN HBSession.cpp[30380]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.22 failed. SSL error:
2021-08-23 10:41:24 INFO HBSessionHandler.cpp[30380]:108 removeDirtySessions - Number of sessions: 0

I've already re-registered the nodes to Central so heartbeat service restarted. No luck.
Same with restart of both nodes. the SSL errors remain in the heartbeatd.log and the clients there are denied all traffic because of no heartbeat...
I think this is due to clients using wrong a certificate. Just a thougt though.

Any idea?

2021-08-21 07:34:39 INFO EpStateListBroker.cpp[12886]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41(xxx.xxx.xxx.21)
2021-08-21 07:34:41 WARN GarnerEventHandler.cpp[12886]:56 update - got missing heartbeat notification from garner for endpoint xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41 which is not in lost state
2021-08-21 07:34:42 INFO ModuleStatus.cpp[12886]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41 (xxx.xxx.xxx.21) health: 1
2021-08-21 07:34:43 WARN GarnerEventHandler.cpp[12886]:56 update - got missing heartbeat notification from garner for endpoint xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41 which is not in lost state
2021-08-21 07:34:43 WARN GarnerEventHandler.cpp[12886]:56 update - got missing heartbeat notification from garner for endpoint xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41 which is not in lost state
2021-08-21 07:34:45 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:34:52 INFO SacProcessor.cpp[12886]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41>, Application path :C:\134program files (x86)\134microsoft\134edgeupdate\134microsoftedgeupdate.exe
2021-08-21 07:35:11 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:35:15 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:35:18 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:36:22 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:40:19 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:40:19 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:45:19 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:45:20 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:47:06 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:47:28 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 07:50:19 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:50:20 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:55:20 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:55:21 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 07:59:26 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 08:05:19 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 08:11:47 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 08:20:20 WARN Path.cpp[12886]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-21 08:21:34 INFO EndpointStorage.cpp[12886]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41>: <1> -> <3>
2021-08-21 08:32:33 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 09:17:37 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 10:02:41 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 10:47:46 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 11:32:50 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 12:17:55 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 13:02:59 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 13:48:04 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 14:33:08 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 15:18:12 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 16:03:16 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 16:48:21 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 17:33:24 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 18:18:30 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 19:03:34 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 19:48:38 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 20:33:42 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 21:18:49 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 22:03:53 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 22:48:56 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-21 23:34:01 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 00:19:04 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 01:04:09 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 01:49:12 INFO GarnerEventReader.cpp[12886]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 02:10:34 INFO HbdModuleBuilder.cpp[12886]:298 operator() - Got SIGNAL so daemon is going to stop
2021-08-22 02:10:34 INFO HbdModuleBuilder.cpp[12886]:146 intializeAndRunHbd - Heartbeat daemon halted
2021-08-22 02:10:38 INFO HbdModuleBuilder.cpp[1120]:197 initLogger - Word size of architecture: 64
2021-08-22 02:10:38 INFO HbdModuleBuilder.cpp[1120]:198 initLogger - Heartbeat daemon build time: 11:45:59 Apr 23 2021
2021-08-22 02:10:38 INFO HbdModuleBuilder.cpp[1120]:95 intializeAndRunHbd - Heartbeat daemon starting
2021-08-22 02:10:38 INFO HbdModuleBuilder.cpp[1120]:106 intializeAndRunHbd - Maximum connected clients: 10000
2021-08-22 02:10:38 INFO EndpointStorage.cpp[1120]:41 EndpointStorage - Working with persistent endpoint storage
2021-08-22 02:10:38 INFO EndpointStorage.cpp[1120]:43 EndpointStorage - Calling EndpointStorageBackend::get_all_endpoints
2021-08-22 02:10:38 INFO ModuleSacFirst.cpp[1120]:70 ModuleSacFirst - Using ModuleSacFirst
2021-08-22 02:10:38 INFO HbdModuleBuilder.cpp[1120]:121 intializeAndRunHbd - Heartbeat daemon running
2021-08-22 02:10:38 INFO MissingDelayValues.cpp[1120]:33 dbCallbackMissingDelayDetection - Missing delay detection :60
2021-08-22 02:10:38 INFO MissingDelayValues.cpp[1120]:50 dbCallbackMissingDelayToCentral - Missing delay to central :0
2021-08-22 02:10:38 INFO JsonRpcResponseMissingHeartbeatCentral.cpp[1120]:59 setMissingHeartbeatCentralDelay - suppress missing heartbeat to central delay: 0
2021-08-22 02:10:38 INFO JsonRpcResponseMissingHeartbeat.cpp[1120]:56 setMissingHeartbeatDelay - missing heartbeat delay :60
2021-08-22 02:10:38 INFO HbdModuleBuilder.cpp[1120]:486 dropPrivileges - Privdrop to uid 5 with gid 1007 successful
2021-08-22 02:10:38 INFO HbdModuleBuilder.cpp[1120]:489 dropPrivileges - reduced capabilities: effective=dac_override, net_admin, sys_ptrace, sys_resource, permitted=dac_override, net_admin, sys_ptrace, sys_resource
2021-08-22 02:10:39 INFO HbdModuleBuilder.cpp[1120]:521 sendHeartbeatReadyOpcode - heartbeat_ready opcode sent.
2021-08-22 02:10:39 INFO ModuleSacFirst.cpp[1120]:110 handOverEacState - Send EacSwitchRequest to all directly connected endpoints (state=1)
2021-08-22 02:34:16 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 03:19:21 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 04:04:25 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 04:49:30 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 05:34:35 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 06:19:39 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 07:04:43 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 07:49:49 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 08:34:54 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 09:19:57 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 10:05:02 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 10:50:08 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 11:35:11 WARN GarnerEventReader.cpp[1120]:118 acceptConnectionHandler - Garner plugin is already connected! Closing current connection.
2021-08-22 11:35:11 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 12:02:43 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:02:43 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:02:58 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:02:58 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:03:13 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:03:13 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:03:28 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:03:28 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:03:43 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:03:43 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:03:58 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:03:58 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:04:13 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:04:13 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:04:28 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:04:28 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:04:43 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:04:44 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:04:59 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:04:59 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:05:14 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:05:14 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:06:14 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:06:14 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:07:14 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:07:14 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:08:14 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:08:14 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:09:14 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:09:14 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:10:14 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 12:10:14 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 12:20:15 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 13:05:19 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 13:50:23 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 14:35:26 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 15:20:31 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 16:05:35 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 16:50:39 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 17:35:43 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 18:20:49 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 19:05:53 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 19:50:58 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 20:03:16 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 20:03:16 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 20:04:16 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 20:04:16 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 20:05:16 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 20:05:16 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 20:06:16 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 20:06:16 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 20:07:16 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 20:07:16 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 20:08:16 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 20:08:16 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 20:09:16 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 20:09:16 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 20:10:17 INFO HBSessionHandler.cpp[1120]:108 removeDirtySessions - Number of sessions: 0
2021-08-22 20:10:17 WARN HBSession.cpp[1120]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-22 20:36:03 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
2021-08-22 21:21:08 INFO GarnerEventReader.cpp[1120]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
...
...
2021-08-23 10:31:39 WARN HBSession.cpp[29605]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.22 failed. SSL error:
2021-08-23 10:32:17 INFO HBSessionHandler.cpp[29605]:108 removeDirtySessions - Number of sessions: 0
2021-08-23 10:32:17 WARN HBSession.cpp[29605]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.25 failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error
2021-08-23 10:32:39 INFO HBSessionHandler.cpp[29605]:108 removeDirtySessions - Number of sessions: 0
2021-08-23 10:32:39 WARN HBSession.cpp[29605]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.22 failed. SSL error:
2021-08-23 10:32:40 INFO ModuleSacFirst.cpp[29605]:110 handOverEacState - Send EacSwitchRequest to all directly connected endpoints (state=0)
2021-08-23 10:32:40 INFO HbdModuleBuilder.cpp[29605]:298 operator() - Got SIGNAL so daemon is going to stop
2021-08-23 10:32:40 INFO HbdModuleBuilder.cpp[29605]:146 intializeAndRunHbd - Heartbeat daemon halted
2021-08-23 10:40:14 INFO HbdModuleBuilder.cpp[30380]:197 initLogger - Word size of architecture: 64
2021-08-23 10:40:14 INFO HbdModuleBuilder.cpp[30380]:198 initLogger - Heartbeat daemon build time: 11:45:59 Apr 23 2021
2021-08-23 10:40:14 INFO HbdModuleBuilder.cpp[30380]:95 intializeAndRunHbd - Heartbeat daemon starting
2021-08-23 10:40:14 INFO HbdModuleBuilder.cpp[30380]:106 intializeAndRunHbd - Maximum connected clients: 10000
2021-08-23 10:40:15 INFO EndpointStorageBackend.cpp[30380]:523 create_endpoint_storage_db - Created a new Endpoint Storage database
2021-08-23 10:40:15 INFO EndpointStorage.cpp[30380]:41 EndpointStorage - Working with persistent endpoint storage
2021-08-23 10:40:15 INFO EndpointStorage.cpp[30380]:43 EndpointStorage - Calling EndpointStorageBackend::get_all_endpoints
2021-08-23 10:40:15 INFO ModuleSacFirst.cpp[30380]:70 ModuleSacFirst - Using ModuleSacFirst
2021-08-23 10:40:15 INFO HbdModuleBuilder.cpp[30380]:121 intializeAndRunHbd - Heartbeat daemon running
2021-08-23 10:40:15 INFO MissingDelayValues.cpp[30380]:33 dbCallbackMissingDelayDetection - Missing delay detection :60
2021-08-23 10:40:15 INFO MissingDelayValues.cpp[30380]:50 dbCallbackMissingDelayToCentral - Missing delay to central :0
2021-08-23 10:40:15 INFO JsonRpcResponseMissingHeartbeatCentral.cpp[30380]:59 setMissingHeartbeatCentralDelay - suppress missing heartbeat to central delay: 0
2021-08-23 10:40:15 INFO JsonRpcResponseMissingHeartbeat.cpp[30380]:56 setMissingHeartbeatDelay - missing heartbeat delay :60
2021-08-23 10:40:15 INFO HbdModuleBuilder.cpp[30380]:486 dropPrivileges - Privdrop to uid 5 with gid 1007 successful
2021-08-23 10:40:15 INFO HbdModuleBuilder.cpp[30380]:489 dropPrivileges - reduced capabilities: effective=dac_override, net_admin, sys_ptrace, sys_resource, permitted=dac_override, net_admin, sys_ptrace, sys_resource
2021-08-23 10:40:16 INFO HbdModuleBuilder.cpp[30380]:521 sendHeartbeatReadyOpcode - heartbeat_ready opcode sent.
2021-08-23 10:40:16 INFO ModuleSacFirst.cpp[30380]:110 handOverEacState - Send EacSwitchRequest to all directly connected endpoints (state=1)
2021-08-23 10:40:17 INFO ModuleSacFirst.cpp[30380]:110 handOverEacState - Send EacSwitchRequest to all directly connected endpoints (state=1)
2021-08-23 10:40:38 INFO HBSessionHandler.cpp[30380]:108 removeDirtySessions - Number of sessions: 0
2021-08-23 10:40:39 WARN HBSession.cpp[30380]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.25 failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error
2021-08-23 10:40:54 INFO HBSessionHandler.cpp[30380]:108 removeDirtySessions - Number of sessions: 0
2021-08-23 10:40:54 WARN HBSession.cpp[30380]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.25 failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error
2021-08-23 10:41:00 INFO HBSessionHandler.cpp[30380]:108 removeDirtySessions - Number of sessions: 0
2021-08-23 10:41:00 WARN HBSession.cpp[30380]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.22 failed. SSL error:
2021-08-23 10:41:09 INFO HBSessionHandler.cpp[30380]:108 removeDirtySessions - Number of sessions: 0
2021-08-23 10:41:09 WARN HBSession.cpp[30380]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.25 failed. SSL error: SSL routines:ssl3_read_bytes tlsv1 alert internal error
2021-08-23 10:41:15 INFO HBSessionHandler.cpp[30380]:108 removeDirtySessions - Number of sessions: 0
2021-08-23 10:41:15 WARN HBSession.cpp[30380]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.22 failed. SSL error:
2021-08-23 10:41:24 INFO HBSessionHandler.cpp[30380]:108 removeDirtySessions - Number of sessions: 0



This thread was automatically locked due to age.
Parents
  • 0

    If the appliance renewed the certificate, the endpoint have to do the same. Seems like the endpoint cannot do this? Check the endpoint, if the MCS etc. is reachable. 

  • 0 in reply to LuCar Toni

    thank you. yes, MCS is not working

    this is all blocked by firewall currently.

    Thought there is a default built-in rule always allowing this traffic. Still searching...

    that's on the client in heartbeat.log. This one was offline for some weeks for holidays. but there are other in office that were online last week and have the same issue.

    a 2021-07-29T08:08:21.468Z [4132:5572] - Received request to enable enhanced application control
a 2021-07-29T08:08:21.468Z [4132:5572] - Sending endpoint state list request
a 2021-07-29T08:08:21.469Z [4132:5572] - Received response to endpoint state list request, size: 0
a 2021-07-29T08:08:21.469Z [4132:5572] - Sending login status.
a 2021-07-29T08:08:21.619Z [4132:5572] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
a 2021-07-29T08:09:00.769Z [4132:5068] - ----------------------------------------------------------------------------------------------------
a 2021-07-29T08:09:00.769Z [4132:5068] - Stopped Heartbeat
a 2021-07-29T08:09:00.769Z [4132:5068] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:33:42.831Z [4408:5320] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:33:42.832Z [4408:5320] - Starting Heartbeat version 1.11.194.0
a 2021-08-23T05:33:42.832Z [4408:5320] - ----------------------------------------------------------------------------------------------------
e 2021-08-23T05:33:43.207Z [4408:5928] - TLS authentication failed after connecting.
a 2021-08-23T05:37:26.825Z [4408:5320] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:37:26.825Z [4408:5320] - Stopped Heartbeat
a 2021-08-23T05:37:26.826Z [4408:5320] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:38:16.050Z [3844:4952] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:38:16.050Z [3844:4952] - Starting Heartbeat version 1.11.194.0
a 2021-08-23T05:38:16.050Z [3844:4952] - ----------------------------------------------------------------------------------------------------
e 2021-08-23T05:38:16.161Z [3844:5560] - TLS authentication failed after connecting.
a 2021-08-23T08:14:20.987Z [3844:4952] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T08:14:20.988Z [3844:4952] - Stopped Heartbeat
a 2021-08-23T08:14:20.988Z [3844:4952] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T08:15:08.441Z [4344:5088] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T08:15:08.442Z [4344:5088] - Starting Heartbeat version 1.11.194.0
a 2021-08-23T08:15:08.442Z [4344:5088] - ----------------------------------------------------------------------------------------------------
e 2021-08-23T08:15:08.701Z [4344:5548] - TLS authentication failed after connecting.
a 2021-08-23T08:34:01.016Z [4344:5548] - Connection failed.
e 2021-08-23T08:41:01.080Z [4344:5548] - TLS authentication failed after connecting.
a 2021-08-23T09:03:50.494Z [4344:5548] - Connection failed.
e 2021-08-23T09:04:05.596Z [4344:5548] - TLS authentication failed after connecting.

Reply
  • 0 in reply to LuCar Toni

    thank you. yes, MCS is not working

    this is all blocked by firewall currently.

    Thought there is a default built-in rule always allowing this traffic. Still searching...

    that's on the client in heartbeat.log. This one was offline for some weeks for holidays. but there are other in office that were online last week and have the same issue.

    a 2021-07-29T08:08:21.468Z [4132:5572] - Received request to enable enhanced application control
a 2021-07-29T08:08:21.468Z [4132:5572] - Sending endpoint state list request
a 2021-07-29T08:08:21.469Z [4132:5572] - Received response to endpoint state list request, size: 0
a 2021-07-29T08:08:21.469Z [4132:5572] - Sending login status.
a 2021-07-29T08:08:21.619Z [4132:5572] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
a 2021-07-29T08:09:00.769Z [4132:5068] - ----------------------------------------------------------------------------------------------------
a 2021-07-29T08:09:00.769Z [4132:5068] - Stopped Heartbeat
a 2021-07-29T08:09:00.769Z [4132:5068] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:33:42.831Z [4408:5320] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:33:42.832Z [4408:5320] - Starting Heartbeat version 1.11.194.0
a 2021-08-23T05:33:42.832Z [4408:5320] - ----------------------------------------------------------------------------------------------------
e 2021-08-23T05:33:43.207Z [4408:5928] - TLS authentication failed after connecting.
a 2021-08-23T05:37:26.825Z [4408:5320] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:37:26.825Z [4408:5320] - Stopped Heartbeat
a 2021-08-23T05:37:26.826Z [4408:5320] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:38:16.050Z [3844:4952] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T05:38:16.050Z [3844:4952] - Starting Heartbeat version 1.11.194.0
a 2021-08-23T05:38:16.050Z [3844:4952] - ----------------------------------------------------------------------------------------------------
e 2021-08-23T05:38:16.161Z [3844:5560] - TLS authentication failed after connecting.
a 2021-08-23T08:14:20.987Z [3844:4952] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T08:14:20.988Z [3844:4952] - Stopped Heartbeat
a 2021-08-23T08:14:20.988Z [3844:4952] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T08:15:08.441Z [4344:5088] - ----------------------------------------------------------------------------------------------------
a 2021-08-23T08:15:08.442Z [4344:5088] - Starting Heartbeat version 1.11.194.0
a 2021-08-23T08:15:08.442Z [4344:5088] - ----------------------------------------------------------------------------------------------------
e 2021-08-23T08:15:08.701Z [4344:5548] - TLS authentication failed after connecting.
a 2021-08-23T08:34:01.016Z [4344:5548] - Connection failed.
e 2021-08-23T08:41:01.080Z [4344:5548] - TLS authentication failed after connecting.
a 2021-08-23T09:03:50.494Z [4344:5548] - Connection failed.
e 2021-08-23T09:04:05.596Z [4344:5548] - TLS authentication failed after connecting.

Children
  • +1 in reply to LHerzog

    This is now working again after manually creating a new firewall rule on XG to allow all communication to Sophos Central domains* through 80/443 and/or the Security Heartbeat port. This is what we've already had at HQ XG but not on the remote site's XG.

    When the Sophos Client started an update after the rule existed, it's own heartbeat was working again after a reboot of the client.

    2021-08-23 14:09:29 WARN HBSession.cpp[10059]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-23 14:10:29 INFO HBSessionHandler.cpp[10059]:108 removeDirtySessions - Number of sessions: 2
2021-08-23 14:10:29 WARN HBSession.cpp[10059]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-23 14:11:29 INFO HBSessionHandler.cpp[10059]:108 removeDirtySessions - Number of sessions: 2
2021-08-23 14:11:29 WARN HBSession.cpp[10059]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-23 14:12:29 INFO HBSessionHandler.cpp[10059]:108 removeDirtySessions - Number of sessions: 2
2021-08-23 14:12:29 INFO HBSessionHandler.cpp[10059]:135 findPinnedEndpointIdentity - Number of sessions: 3
2021-08-23 14:12:29 INFO HBSession.cpp[10059]:502 logNewSession - New Session: [xxx.xxx.xxx.21]:31176 connected
2021-08-23 14:12:29 INFO EndpointStorage.cpp[10059]:84 new_endpoint_cb - Storing new Endpoint with uuid: <xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41>
2021-08-23 14:12:29 INFO EndpointStorage.cpp[10059]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41>: <0> -> <1>
2021-08-23 14:12:29 INFO ModuleSacFirst.cpp[10059]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=xxx.xxx.xxx.21)
2021-08-23 14:12:29 INFO EndpointStorage.cpp[10059]:132 endpoint_maclist_cb - Mac list gets replaced for uuid <xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41>
2021-08-23 14:12:29 INFO EpStateListBroker.cpp[10059]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41(xxx.xxx.xxx.21)
2021-08-23 14:12:43 INFO ModuleStatus.cpp[10059]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41 (xxx.xxx.xxx.21) health: 1
2021-08-23 14:13:37 WARN Path.cpp[10059]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
2021-08-23 14:13:59 WARN HBSession.cpp[10059]:341 bufferDisconnectEvent - Incoming connection from xxx.xxx.xxx.21 failed. SSL error:
2021-08-23 14:13:59 INFO EndpointStorage.cpp[10059]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41>: <1> -> <5>
2021-08-23 14:14:03 INFO HBSessionHandler.cpp[10059]:108 removeDirtySessions - Number of sessions: 2
2021-08-23 14:14:03 INFO HBSessionHandler.cpp[10059]:135 findPinnedEndpointIdentity - Number of sessions: 3
2021-08-23 14:14:03 INFO HBSession.cpp[10059]:502 logNewSession - New Session: [xxx.xxx.xxx.21]:37832 connected
2021-08-23 14:14:03 INFO EndpointStorage.cpp[10059]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41>: <5> -> <1>
2021-08-23 14:14:03 INFO ModuleSacFirst.cpp[10059]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=xxx.xxx.xxx.21)
2021-08-23 14:14:03 INFO EpStateListBroker.cpp[10059]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41(xxx.xxx.xxx.21)
2021-08-23 14:14:13 INFO ModuleStatus.cpp[10059]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxx-xxxx-xxxx-xxxx-b40472c9ec41 (xxx.xxx.xxx.21) health: 1

    *=

        *.sophos.com
        *.sophosupd.com
        *.sophosupd.net
        *.sophosxl.net
        ocsp.globalsign.com
        ocsp2.globalsign.com
        crl.globalsign.com
        crl.globalsign.net
        ocsp.digicert.com
        crl3.digicert.com
        crl4.digicert.com
        tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.
        tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
        tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
        tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
        kinesis.us-west-2.amazonaws.com
        prod.endpointintel.darkbytes.io
        mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
        mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
        mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
        mcs2-cloudstation-us-west-2.prod.hydra.sophos.com