This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Heartbeat Stops Reporting Knocking PC Off Network

Good morning all, I am beginning to have a serious issue with our PC's since moving over to Sophos Intercept X Advanced. I am beginning to have PC's stop sending their Heartbeat, Sophos Central shows the PC as no longer sending a heartbeat and I believe what happens is the system goes into a protected mode, preventing the PC from having any network access, actually preventing its IP so my network icon immediately changes from connected to no connection. Most of the time the PC's are bouncing back and resume sending the heartbeat without any intervention on my part.

However some are not bouncing back and left in this disconnected state until, I manually assign an IP address to get the heartbeat back then I can simply reset the network card back to DHCP. This is beginning to be a serious issue, as yesterday this happened to 3 PC's and today I just back from our other plant because of the same issue on another PC.

Any users experienced something similar? Intercept X is managed through Sophos Central as well we do have a Sophos XG firewall that ties everything together. I have reached out to Sophos support but in the meantime if anyone has some suggestions to possible look at, please let me know, I'm at a loss as to why this is happening, if it's a bug, I'm not sure.

Thank you



This thread was automatically locked due to age.
  • I just had a thought, do you think the issue is related to Synchronized User ID Authentication? Reason I ask is in my logs under Authentication I have dozens and dozens of entries, example below.

    2021-06-21 13:16:26 Authentication messageid="17702" log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Failed" user="USERNAME" user_group="" client_used="Heartbeat" auth_mechanism="Local" reason="wrong credentials" src_ip="X.X.X.X" message="User USERNAME failed to login to Firewall through Local authentication mechanism from X.X.X.X because of wrong credentials" name="" src_mac=""

    There are no credentials with my users, and synchronized user ID authentication is enabled by default. 

    This is a statement directly on how this system works.

    "If the client Heartbeat is lost or missing, the heartbeat daemon will logout the user from the firewall as a Synchronized ID user, however other client authentication mechanisms may still apply."

  • Ok so in the end disabling Device Isolation did not solve the issue. I still have PC's reporting their heartbeat is lost and they are blocked form the network. This is getting to be a real pain in the butt and sorry I moved the company over to this product.

  • FormerMember
    0 FormerMember in reply to SophosNewby

    I would suggest that you get an SDU from the affected machines and a CTR from the SFOS and open a support case.

  • Thank you, yes I have supplied multiple SDU's and have had very little help, think I created the case 3 or so weeks ago. You gave me more help or t least what to look into.