Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 28 replies
  • Answers 2 answers
  • Subscribers 17 subscribers
  • Views 20584 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall reported computer not sending heartbeat signals

LHerzog

Since November an increasing number of endpoints is reported from Central with "Sophos Firewall SN reported computer not sending heartbeat signals"

We upgraded our HQ XG from 18.5.4 to 19.0.1 on  Nov 12th but the issue started already before as you can see from the screenshots.

Before that, we only received this alerts occasionally.  Sometimes the message comes multiple times per day for a machine, then a few days no message is created even if the computer is still in use.

What is the issue here?

Central Region is Central Europe

One Computer:



This thread was automatically locked due to age.
Parents
  • 0

    Are you able to see any similar errors in the logs located at "C:\ProgramData\Sophos\Heartbeat\Logs"? 

    Could the device be entering a hibernate or sleep state at the times when these events are generated?

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    I was on the computer and it was in standby.

    I could see the Intel Networkdriver was frequently dumping something all the time during standby.

    Netwtw10
    7026
    7026 - Dump after return from D3 after cmd

    Netwtw10
    7025
    7025 - Dump after return from D3 before cmd

    .

    Probably causing network flapping which triggers Heartbeat Change.

    In the heartbeat log I could see many, many events during standby mode: network has changed - firewall may disconnect

    .

    2022-11-16T09:21:38.596Z [ 5212: 6340] A Sending network status
    2022-11-16T09:21:38.596Z [ 5212: 6340] A The network status has changed, the Firewall may disconnect.
    2022-11-16T09:21:38.598Z [ 5212: 6340] A Connection closed (network error).

    .

    I updated (network) drivers and BIOS at first place and will monitor the situation.

    Can the heartbeat module be tweaked so that it is compatible with Standby?

    Everyone taks about saving energy - would be non-pc to disable standby for heartbeat to work.

  • 0 in reply to LHerzog

    I was able to get some additional feedback on this from our team. 

    The decision-making process behind when these alerts are generated will take place entirely on the firewall. Only if network traffic continues to be routed to the firewall without heartbeat traffic periodically, will the alert be generated.

    Do you know if the NIC on the affected device remains active/communicating on the network while the system is in hibernate mode? What could also help is checking the power saver settings in Device Manager to check if the NIC is configured to stop communicating when the device enters a sleep state.

    There are a couple of options available from the XG Console which can limit the frequency at which these alerts/events are generated in Sophos Central. I will follow up with you via PM to share these.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to Qoosh

    Hi   and thanks for your message.

    The NICs, LAN or WiFi, may be shot down by the OS to save energy. That option is not disabled.

    As written earlier, it looks to me like the NIC driver does some usless behaviour / dumping something that shows with those Netwtw10 Events every few seconds. That probably wakes the NIC, sends some packets the firewall sees when the heartbeat driver already sent info to the firewall, that the device is now off.

    After the driver and BIOS updates, the issue has not happened to the computer that was most frequent before. Probably Intel / Fujitsu changed something on the network behaviour in Hibernate.

    Will continue to monitor the behaviour on our side.

    Interestingly the events almost stopped completely after Nov 16th.

Reply
  • 0 in reply to Qoosh

    Hi   and thanks for your message.

    The NICs, LAN or WiFi, may be shot down by the OS to save energy. That option is not disabled.

    As written earlier, it looks to me like the NIC driver does some usless behaviour / dumping something that shows with those Netwtw10 Events every few seconds. That probably wakes the NIC, sends some packets the firewall sees when the heartbeat driver already sent info to the firewall, that the device is now off.

    After the driver and BIOS updates, the issue has not happened to the computer that was most frequent before. Probably Intel / Fujitsu changed something on the network behaviour in Hibernate.

    Will continue to monitor the behaviour on our side.

    Interestingly the events almost stopped completely after Nov 16th.

Children
Unfiltered HTML