no heartbeat from MacOS Sonoma 14.3 (again)

Yesterday the first client updated it's MacOS to Sonoma 14.3.

Since then it has no heartbeat on our firewall.

All Sophos services up and running.

Agent 10.5.1

The user is connected with SSL VPN. He was before the update (with heartbeat!) and is now reconnected with SSL VPN after the update. The client is just not sending any heartbeat packets to the firewall.

There is no activity in heatbeatd.log from that VPN IP or the heartbeat ID of the client (yyyyybc43c) on the firewall. So the client is just not sending.

The only thing that appeard in the FW log is:

[2024-01-22 21:33:13.852Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <3>
...
[2024-01-23 07:02:33.996Z] WARN HBSession.cpp[12083]:344 bufferDisconnectEvent - Incoming connection from 10.242.254.6 failed. SSL error:
[2024-01-23 07:02:33.996Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <xxxxae9abb>: <1> -> <5>

ID xxxxae9abb is the ID of an other computer with the IP 10.242.254.6 connected with SSL VPN and heartbeat before 07:02Z - it terminated it's SSL VPN session at 07:00Z. At 07:02Z the computer with ID yyyyybc43c connected and received the free IP address 10.242.254.6.

The user authentication towards is working - but that does not use the heartbeat IP.

I'd say it is not NC-117680 SecurityHeartbeat Ipset hb_green entry removed without cause.

Added Tags
[edited by: GlennSen at 6:27 AM (GMT -8) on 30 Jan 2024]

0 Qoosh 3 months ago

Hi LHerzog,

Could you try cloning the current policy in Sophos Central that specifies for HBT to remain on?

I'd suggest saving the policy in the "Off" state momentarily before turning this back on to see if this allows the device to resume sending heartbeat signals.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LHerzog 2 months ago in reply to Qoosh

Hi Qoosh and thanks for that suggestion. I was a day off and could not test that.

Today I see the client picked up heartbeat again on Jan 23rd about 24h after it lost it on Jan 22nd. May that point to the root cause of theses issues, that there is some kind of 1 day delay?

[2024-01-22 21:33:13.852Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <3>
[2024-01-23 21:46:42.196Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <3> -> <1>
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

0 LHerzog 2 months ago in reply to LHerzog

now that user is working and reports intermittent web connectivity failures to me. When checking the logs I can see the Mac has flapping heartbeat on the firewall. It often switches between status 5 and 1. When 5 of course the computer is denied for several firewall rules.

[2024-01-30 14:13:35.542Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 14:13:35.662Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 14:13:35.663Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 14:14:03.979Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:28:35.533Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 14:28:35.671Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 14:28:35.671Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 14:28:36.844Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:28:36.844Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:28:36.844Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:28:36.844Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:11.126Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 14:43:11.335Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 14:43:11.336Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 14:43:30.352Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:30.353Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:30.353Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:30.353Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:30.353Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:30.353Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:35.565Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 14:43:35.691Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 14:43:35.691Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 14:43:42.505Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:42.506Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:42.506Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:43:42.506Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:58:35.528Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 14:58:35.670Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 14:58:35.671Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 14:58:39.312Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:58:39.312Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:58:39.312Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:58:39.313Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 14:58:39.313Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:07:58.869Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:07:59.036Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:07:59.036Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:07:59.820Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:07:59.820Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:07:59.820Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:13:35.544Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:13:35.690Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:13:35.690Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:13:48.232Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:13:48.233Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:13:48.233Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:13:48.233Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:13:48.233Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:13:48.233Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:17:34.747Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:17:35.024Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:17:35.024Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:17:35.297Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:18:10.189Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:18:10.381Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:18:10.381Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:18:29.404Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:28:03.335Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:28:03.521Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:28:03.521Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:28:05.484Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:28:13.200Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:28:13.484Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:28:13.484Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:28:35.467Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:35:20.109Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:35:20.292Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:35:20.292Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:35:21.300Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:35:21.300Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:35:21.300Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:43:31.626Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:43:31.907Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:43:31.907Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:43:35.580Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <1> -> <5>
[2024-01-30 15:43:35.803Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <yyyyybc43c>: <5> -> <1>
[2024-01-30 15:43:35.803Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: yyyyybc43c (172.16.xxx.xxx) health: 1
[2024-01-30 15:43:36.970Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox
[2024-01-30 15:43:36.971Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox

Can someone with knowledge of heartbeat tell what this means?

Sent switchOffConnectionInfo request to endpoint: <yyyyybc43c>, Application path :/Applications/Firefox.app/Contents/MacOS/firefox

is that something that is terminating a heartbeat?

0 LHerzog 2 months ago in reply to LHerzog

is someone really using Macs with heartbeat? I think I have not seen (many?) posts here about that combination.

This looks to me like flapping heartbeat due to some energy saving just as with modern standby on windows endpoints.

NC-120932 "Endpoints with Modern standby enabled is not supported in firewall and so missing heartbeat alerts could be caused."

I thought to have read that this has been fixed in a late SFOS but I still find it in the KIL.

and again the log "switchOffConnectionInfo"

[2024-02-06 11:28:47.613Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 11:28:47.613Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 11:29:04.812Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>, Application path :/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/121.0.6167.139/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
[2024-02-06 11:41:29.977Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 11:41:30.137Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 11:41:30.137Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 11:41:30.332Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 11:41:30.577Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 11:41:30.577Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 11:41:44.853Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>, Application path :/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/121.0.6167.139/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
[2024-02-06 11:44:52.467Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 11:44:52.669Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 11:44:52.669Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 11:45:04.889Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>, Application path :/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/121.0.6167.139/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
[2024-02-06 11:52:32.500Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 11:52:32.614Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 11:52:32.615Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 11:52:43.996Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>, Application path :/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/121.0.6167.139/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
[2024-02-06 11:56:32.147Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 11:56:32.357Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 11:56:32.357Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 11:56:33.572Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>, Application path :/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/121.0.6167.139/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
[2024-02-06 11:59:59.312Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 11:59:59.457Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 11:59:59.457Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 11:59:59.544Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 11:59:59.689Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 11:59:59.690Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 12:00:05.032Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>, Application path :/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/121.0.6167.139/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
[2024-02-06 12:03:40.434Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 12:03:40.702Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 12:03:40.703Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 12:03:45.043Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>, Application path :/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/121.0.6167.139/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
[2024-02-06 12:04:01.052Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 12:04:01.205Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 12:04:01.205Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (10.242.xxx.xx1) health: 1
[2024-02-06 12:04:03.487Z] INFO SacProcessor.cpp[12083]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>, Application path :/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/121.0.6167.139/Helpers/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper
[2024-02-06 12:09:01.251Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <3>
XG430_WP02_SFOS 19.5.3 MR-3-Build652 HA-Primary#

and in debug mode:

[2024-02-06 15:14:44.783Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <1> -> <5>
[2024-02-06 15:14:44.783Z] DEBUG Endpoint.cpp[12083]:269 startHeartbeatLostTimer - HeartbeatLost timer of <285> secs started for EP : 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548
[2024-02-06 15:14:44.896Z] DEBUG ClientInfo.cpp[12083]:25 ClientInfo - Added new Client Info: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 172.16.xxx.xx1 58564
[2024-02-06 15:14:44.896Z] DEBUG HBSession.cpp[12083]:505 logNewSession - EP_Name: EP-HOSTNAME EP_ID: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548
[2024-02-06 15:14:44.923Z] DEBUG ModuleStatus.cpp[12083]:167 processMessageLogin - login request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (172.16.xxx.xx1) at 1707232484
[2024-02-06 15:14:44.923Z] DEBUG Endpoint.cpp[12083]:243 eventCleanUp - eventCleanUp for ep :18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548
[2024-02-06 15:14:44.923Z] INFO EndpointStorage.cpp[12083]:119 endpoint_connectivity_cb - Connectivity changed for <18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548>: <5> -> <1>
[2024-02-06 15:14:44.924Z] DEBUG ModuleNetwork.cpp[12083]:87 processNetworkRequest - network request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (172.16.xxx.xx1) at 1707232484
[2024-02-06 15:14:44.924Z] INFO ModuleStatus.cpp[12083]:137 processMessageStatus - Status request received from endpoint: 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (172.16.xxx.xx1) health: 1
[2024-02-06 15:14:44.924Z] DEBUG GarnerUpdater.cpp[12083]:124 sendGarnerEventEndpoint - Send ep_status to garner. EP_ID = 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 health = 1 time = 1707232484
[2024-02-06 15:14:44.924Z] DEBUG EacSwitchRequest.cpp[12083]:53 decode_response - OK received from endpoint 18e9c32a-xxxx-xxxx-xxxx-xxxxxxx5f548 (172.16.xxx.xx1)

0 LHerzog 1 month ago in reply to LHerzog

07215426 / Sophos Central Mac Endpoints flapping Heartbeat - frequently switching between status 5 and 1

"firewall code change is already implemented with SFOS 20.0 GA, but code change for MacOS is still pending and not implenented yet.
The change on Endpoint side for MacOS is handled as improvement/feature."

the internal reference is "MACEP-7994"

What about the Sophos guys using MacOS? I wonder are they either all not using Heartbeat or have special fixes in place?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LHerzog 8 days ago in reply to LHerzog

no comment is also a statement.

This software combination is not working. 25% of our Mac's are at red health because something from Sophos is not working.

this "show devices with red health" filter shows how good MacOS and Sophos EP performs. Only recently used devices. No windows machine on the list.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Qoosh 8 days ago in reply to LHerzog

May I ask if the devices in question are entering/exiting a hibernate mode/sleep mode, and whether or not a device shutdown and restart affects the health/heartbeat status?

Based on the support case ID you provided, I was able to locate some information on proposed improvements but I would like to verify the origin of the issue your devices are experiencing specifically.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel