Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 500 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Red Heartbeat when users share docking station

LHerzog

We notice strange Heartbeat issues this week when users of one department started desk sharing.

Users have indiividual notebooks with Intercept-X. The Network is connected to XG firewall SFOS 19.0.1.

DHCP Server on the Network.

XG gets the Heartbeat sessions of the users and FW rules rely on Green Heartbeat.

There are USB-C docking stations on the desks. They have a buildt in NIC with a individual MAC Address. When a computer is attached to the docking station, it uses the NIC of the docking station.

Now, the users plug in their notebook one day on docking station 1 and the other day on docking station 2, next docking station on docking station 3 and so on.

So now when User A on Notebook A was connected to docking station 1 yesterday, it had the IP address A.

Notebook A was shut down in the office at the end of the day - not only power saving.

Today User B on Notebook B connects to docking station 1 -> it is served the IP Address A from DHCP.

And now there is some issue on the firewall that I don't understand. Heartbeat usually relies on the Heartbeat-ID which is along unique string.

Nevertheless, User B today has a green HB shown everywhere: Central, The Firewall, the Endpoint. But all FW rules that rely on green Heartbeat for him are denied. No Internet, no internal Server access. Browser shows: the security status of your device cannot be confirmed. That is shown when the firewall blocks the client.

When cheking the XG logs today - there is also a log entry in heartbeat log, that shows Combuter A with IP 1 has a red heartbeat - and that is probably the issue causing the XG to block that endpoint internally. Even, if that computer is today a complete different machine.

It took about 30 minutes and some network-reconnects of Computer B until it was allowed by XG to communicate on the network.

Computer A was not in the office today.



This thread was automatically locked due to age.
  • +1

    Hi,

    Thanks for bringing this up. Our initial analysis indicates there seems to be this issue, when docking stations not supporting MAC passthrough. This is mostly happening due to combination of two primary reasons 1) Notebook A moves to either missing state or not-connected state 2) same MAC address of the dock being used for both the notebooks.

    Requesting you to open a support case, so that we can investigate in detail.

    Regards,

    Laxmikant

  • 0 in reply to Laxmikant Agarwal

    Thanks . Point 2 applies here.

    We'll do some further tests internally so we're sure it can be reproduced and then open a case.

  • 0 in reply to LHerzog

    issue can be reproduced using the described method.

    the notebooks come shipped with this BIOS setting: "MAC Address Pass Through" disabled

    will try to change and seeif that fixes the issue

    That text is from Dell Doc. We use Fujitsu but it should be the same:

    "MAC Address Override or MAC Address Pass Through that uses a system-unique MAC address entered in the system Basic Input/Output System (BIOS) which is then used to override the dock or dongle MAC address every time it’s connected to the network. This way the network sees the system-unique MAC address."

  • 0 in reply to LHerzog

    Thanks for trying these options @LHerzog! Do I understand it correctly, that the issue does not occur when  "MAC address Pass Through" is enabled in BIOS setting and that an acceptable configuration at your end?

  • 0 in reply to Laxmikant Agarwal

    we're working currently on it to see if it fixes our problem. in general, I would prefer this setting is enabled per default when we hand over the devices to the user. because it also saves us many DHCP leases when there is only one MAC per device. But this is organization of an other team.

  • 0 in reply to LHerzog

    Nice one.

    USB Type-C Port Replicator, which is widely used here does not support MAPT.  I can enable it in BIOS but it keeps using the physical MAC of the docking station NIC, not the MAC of the internal LAN NIC.

    That means we'd need to add all possible docking stations in that department to every computer and configure the internal LAN NIC MAC address on the driver in Windows for each external docking station NIC manually to get it working on Sophos Heartbeat at the current version.

    The successor USB Type-C Port Replicator 2 supports it natively:

    Still the current heartbeat behaviour looks more like a bug to me, most likely because the machine beeing blocked due to heartbeat issues is "all green" on the firewall.

  • 0 in reply to LHerzog

    Hi  

    Sure. We will investigate in detail to see if a fix is possible. You may please raise a support case, so for your tracking purpose.

    Regards,

    Laxmikant

Unfiltered HTML