This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Heartbeat - Red in XG but green in Central

Hello,

we have continuous problem with the heartbeat for some users. 

The endpoint is green and fine but in central it's red. 

Here the last log during the problem (heartbeat log)

a 2021-06-23T06:45:27.764Z [5880:8000] - Received request to enable enhanced application control
a 2021-06-23T06:45:27.771Z [5880:8000] - Sending login status.
a 2021-06-23T06:45:28.098Z [5880:8000] - Received request to disable enhanced application control for C:\program files (x86)\internet explorer\iexplore.exe
a 2021-06-23T06:45:28.138Z [5880:8000] - Received request to disable enhanced application control for C:\program files (x86)\internet explorer\iexplore.exe
a 2021-06-23T06:45:41.410Z [5880:8000] - Sending health status: {"admin":1, "health":1, "service":1, "threat":1}
a 2021-06-23T07:15:11.868Z [5880:8000] - Received request to disable enhanced application control for C:\program files (x86)\google\chrome\application\chrome.exe
a 2021-06-23T10:22:33.571Z [5880:7476] - ----------------------------------------------------------------------------------------------------
a 2021-06-23T10:22:33.572Z [5880:7476] - Stopped Heartbeat
a 2021-06-23T10:22:33.572Z [5880:7476] - ----------------------------------------------------------------------------------------------------
a 2021-06-23T10:22:37.665Z [19648:19496] - ----------------------------------------------------------------------------------------------------
a 2021-06-23T10:22:37.666Z [19648:19496] - Starting Heartbeat version 1.11.194.0
a 2021-06-23T10:22:37.666Z [19648:19496] - ----------------------------------------------------------------------------------------------------
a 2021-06-23T10:22:38.124Z [19648:16596] - Connection succeeded.
a 2021-06-23T10:22:38.125Z [19648:16596] - Connected to '3a343c11-a991-4d63-ab52-1df31f3ce352' at IP address 52.5.76.173 on port 8347
a 2021-06-23T10:22:38.140Z [19648:16596] - Sending network status. Active Interfaces:
MAC: 00:FF:39:01:DF:1B - INET: 192.168.181.22 - INET6: fe80::507c:e745:b4b8:e1e7
MAC: 24:41:8C:31:94:12 - INET: 192.168.1.3 - INET6: fe80::10a7:ca61:5e5e:2034
a 2021-06-23T10:22:38.400Z [19648:16596] - Received request to enable enhanced application control
a 2021-06-23T10:22:38.400Z [19648:16596] - Sending login status.
a 2021-06-23T10:22:52.077Z [19648:16596] - Sending health status: {"health":3}
a 2021-06-23T10:51:43.762Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\internet explorer\iexplore.exe
a 2021-06-23T11:31:11.576Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\google\chrome\application\chrome.exe
a 2021-06-23T12:44:45.877Z [19648:16596] - Received request to disable enhanced application control for C:\program files\internet explorer\iexplore.exe
a 2021-06-23T13:58:12.169Z [19648:16596] - Connection closed (network error).
a 2021-06-23T13:58:13.181Z [19648:16596] - Connection failed.
a 2021-06-23T14:08:02.495Z [19648:16596] - Connection succeeded.
a 2021-06-23T14:08:02.496Z [19648:16596] - Connected to '3a343c11-a991-4d63-ab52-1df31f3ce352' at IP address 52.5.76.173 on port 8347
a 2021-06-23T14:08:02.510Z [19648:16596] - Sending network status. Active Interfaces:
MAC: 00:FF:39:01:DF:1B - INET: 192.168.181.22 - INET6: fe80::507c:e745:b4b8:e1e7
MAC: 24:41:8C:31:94:12 - INET: 192.168.1.3 - INET6: fe80::10a7:ca61:5e5e:2034
a 2021-06-23T14:08:02.738Z [19648:16596] - Received request to enable enhanced application control
a 2021-06-23T14:08:02.741Z [19648:16596] - Sending login status.
a 2021-06-23T14:08:03.244Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\google\chrome\application\chrome.exe
a 2021-06-23T14:08:13.160Z [19648:16596] - Sending health status: {"health":3}
a 2021-06-23T14:54:57.625Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\internet explorer\iexplore.exe
a 2021-06-23T14:54:57.655Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\internet explorer\iexplore.exe
a 2021-06-23T15:31:08.146Z [19648:16596] - Sending network status. Active Interfaces:
MAC: 24:41:8C:31:94:12 - INET: 192.168.1.3 - INET6: fe80::10a7:ca61:5e5e:2034
a 2021-06-23T15:31:15.057Z [19648:16596] - Connection closed (network error).
a 2021-06-23T15:31:37.141Z [19648:16596] - Connection failed.
a 2021-06-23T15:31:52.423Z [19648:16596] - Connection succeeded.
a 2021-06-23T15:31:52.423Z [19648:16596] - Connected to '3a343c11-a991-4d63-ab52-1df31f3ce352' at IP address 52.5.76.173 on port 8347
a 2021-06-23T15:31:52.438Z [19648:16596] - Sending network status. Active Interfaces:
MAC: 00:FF:39:01:DF:1B - INET: 192.168.181.9 - INET6: fe80::507c:e745:b4b8:e1e7
MAC: 24:41:8C:31:94:12 - INET: 192.168.1.3 - INET6: fe80::10a7:ca61:5e5e:2034
a 2021-06-23T15:31:52.450Z [19648:16596] - Connection closed (network error).
a 2021-06-23T15:31:53.728Z [19648:16596] - Connection succeeded.
a 2021-06-23T15:31:53.729Z [19648:16596] - Connected to '3a343c11-a991-4d63-ab52-1df31f3ce352' at IP address 52.5.76.173 on port 8347
a 2021-06-23T15:31:53.747Z [19648:16596] - Sending network status. Active Interfaces:
MAC: 00:FF:39:01:DF:1B - INET: 192.168.181.9 - INET6: fe80::507c:e745:b4b8:e1e7
MAC: 24:41:8C:31:94:12 - INET: 192.168.1.3 - INET6: fe80::10a7:ca61:5e5e:2034
a 2021-06-23T15:31:53.761Z [19648:16596] - Connection closed (network error).
a 2021-06-23T15:31:55.000Z [19648:16596] - Connection succeeded.
a 2021-06-23T15:31:55.000Z [19648:16596] - Connected to '3a343c11-a991-4d63-ab52-1df31f3ce352' at IP address 52.5.76.173 on port 8347
a 2021-06-23T15:31:55.015Z [19648:16596] - Sending network status. Active Interfaces:
MAC: 00:FF:39:01:DF:1B - INET: 192.168.181.9 - INET6: fe80::507c:e745:b4b8:e1e7
MAC: 24:41:8C:31:94:12 - INET: 192.168.1.3 - INET6: fe80::10a7:ca61:5e5e:2034
a 2021-06-23T15:31:55.145Z [19648:16596] - Received request to enable enhanced application control
a 2021-06-23T15:31:55.146Z [19648:16596] - Sending login status.
a 2021-06-23T15:32:03.612Z [19648:16596] - Sending health status: {"health":3}
a 2021-06-23T17:38:13.918Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\microsoft\edgeupdate\microsoftedgeupdate.exe
a 2021-06-23T21:41:06.153Z [19648:16596] - Connection closed (network error).
a 2021-06-24T06:29:22.504Z [19648:16596] - Connection failed.
a 2021-06-24T06:31:26.179Z [19648:16596] - Connection succeeded.
a 2021-06-24T06:31:26.179Z [19648:16596] - Connected to '3a343c11-a991-4d63-ab52-1df31f3ce352' at IP address 52.5.76.173 on port 8347
a 2021-06-24T06:31:26.193Z [19648:16596] - Sending network status. Active Interfaces:
MAC: 00:FF:39:01:DF:1B - INET: 192.168.181.21 - INET6: fe80::507c:e745:b4b8:e1e7
MAC: 24:41:8C:31:94:12 - INET: 192.168.1.3 - INET6: fe80::10a7:ca61:5e5e:2034
a 2021-06-24T06:31:26.483Z [19648:16596] - Received request to enable enhanced application control
a 2021-06-24T06:31:26.483Z [19648:16596] - Sending login status.
a 2021-06-24T06:31:27.846Z [19648:16596] - Sending health status: {"health":3}
a 2021-06-24T06:32:03.946Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\internet explorer\iexplore.exe
a 2021-06-24T06:32:03.995Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\internet explorer\iexplore.exe
a 2021-06-24T06:32:33.202Z [19648:16596] - Received request to disable enhanced application control for C:\program files\internet explorer\iexplore.exe
a 2021-06-24T06:35:38.958Z [19648:16596] - Received request to disable enhanced application control for C:\program files (x86)\google\chrome\application\chrome.exe

We already contact the Sophos support... 1 month to have the reply from the support. You can imagin that we trying different ways to solve the problem, a momentary solution is re install Sophos but it's not for always.

Thank you !



This thread was automatically locked due to age.
Parents
  • AS you can see, the heartbeat status switching every minutes ! In central it's green fixed... 

  • that's the very same for us. and on the XG it's always flapping between 1 and 3 in heartbeat.log. Maybe this is happening when the computers are idle. It only happens for a small percentage of devices but I want to know why they appear risky to XG.

    I will mention your case number in my support case. Currently they want me to re-register the XG into central because they cannot put fwcm-heartbeatd.log into debug. See my post community.sophos.com/.../logging-heartbeat-vs-fwcm-heartbeatd-500-opcode-failed

  • PS: The Flap should be better in MR5 with the CLI Change. docs.sophos.com/.../SystemCommands.html

    __________________________________________________________________________________________________________________

  • I executed service fwcm-heartbeatd:debug -ds nosync

    But i have this error in the log??

    XG330_WP02_SFOS 18.0.5 MR-5-Build586# tail -f heartbeatd.log
    2021-06-30 09:48:39 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:39 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:46 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:47 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:50 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:55 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:56 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:56 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:58 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:48:59 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:49:07 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:49:07 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:49:08 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:49:11 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:49:12 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    2021-06-30 09:49:12 WARN Path.cpp[5602]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
    

  • For now i see in with an affected ip

    XG330_WP02_SFOS 18.0.5 MR-5-Build586# tail -f heartbeatd.log | grep 192.9.220.17
    2021-06-30 09:53:17 INFO ModuleStatus.cpp[5602]:138 processMessageStatus - Status request received from endpoint: 7d4ab402-2192-43b1-8640-7d8cfa812909 (192.9.220.17) health: 1
    2021-06-30 09:53:20 INFO ModuleStatus.cpp[5602]:138 processMessageStatus - Status request received from endpoint: 7d4ab402-2192-43b1-8640-7d8cfa812909 (192.9.220.17) health: 3
    

  • What i have in this log  fwcm-heartbeatd.log

    Jun 30 09:54:42.323 dbg Flags: in_progress:0, trx_sts:0, grp_id:00000000-0000-0000-0000-000000000000)
    Jun 30 09:54:42.323 ntc trasaction_id status: (old:0, new:0), in_progress:0.
    Jun 30 09:54:42.323 dbg Going in poll mode
    Jun 30 09:55:42.220 dbg Time to punch heartbeat
    Jun 30 09:55:42.220 dbg Time to punch heartbeat. Will send this data: 
            { "version": 2, "trxId": 0.0, "trxStatus": 0, "fwMetaData": { "capability": 7, "fwVersion": "XG330_WP02_18.0.5.586", "dispVersion": "XG330_WP02_SFOS 18.0.5 MR-5-Build586", "hostname": "X", "ram": 12, "cpuCores": 4, "haStatus": "primary", "haPairApplianceKey": "C33101CQDD32TC9", "haMode": "active-passive" } }
    Jun 30 09:55:42.220 dbg Preparing to send: 
            URL: https://utm-cloudstation-eu-central-1.prod.hydra.sophos.com/sophos/api/v1/firewalls/heartbeats/3a343c11-a991-4d63-ab52-1df31f3ce352
    ,       Data(321):{ "version": 2, "trxId": 0.0, "trxStatus": 0, "fwMetaData": { "capability": 7, "fwVersion": "XG330_WP02_18.0.5.586", "dispVersion": "XG330_WP02_SFOS 18.0.5 MR-5-Build586", "hostname": "X", "ram": 12, "cpuCores": 4, "haStatus": "primary", "haPairApplianceKey": "C33101CQDD32TC9", "haMode": "active-passive" } }
    Jun 30 09:55:42.293 dbg  Response code: '200'
    Jun 30 09:55:42.294 dbg  Response content len: '547'
    Jun 30 09:55:42.294 dbg  Response content: '{"trxId":0,"customerId":"X","forceSync":false,"skipTransaction":false,"inactiveStatus":false,"firstFailedTime":null,"trxStatus":0,"groupId":null,"exportXGConfig":false,"fwMetaData":{"fwVersion":"XG330_WP02_18.0.5.586","dispVersion":"XG330_WP02_SFOS 18.0.5 MR-5-Build586","hostname":"FWXGAF-WDC-01","ipAddress":null,"ram":12,"cpuCores":4,"haStatus":"primary","haMode":"active-passive","haPairApplianceKey":"C33101CQDD32TC9","capability":7},"receivedTime":"2021-06-30T07:55:42.278+00:00","transactionFailed":false}'
    Jun 30 09:55:42.294 dbg HB POST returned:0, response_data:{ "trxId": 0, "customerId": "X", "forceSync": false, "skipTransaction": false, "inactiveStatus": false, "firstFailedTime": null, "trxStatus": 0, "groupId": null, "exportXGConfig": false, "fwMetaData": { "fwVersion": "XG330_WP02_18.0.5.586", "dispVersion": "XG330_WP02_SFOS 18.0.5 MR-5-Build586", "hostname": "FWXGAF-WDC-01", "ipAddress": null, "ram": 12, "cpuCores": 4, "haStatus": "primary", "haMode": "active-passive", "haPairApplianceKey": "C33101CQDD32TC9", "capability": 7 }, "receivedTime": "2021-06-30T07:55:42.278+00:00", "transactionFailed": false }
    Jun 30 09:55:42.294 dbg Flags: in_progress:0, trx_sts:0, grp_id:00000000-0000-0000-0000-000000000000)
    Jun 30 09:55:42.294 ntc trasaction_id status: (old:0, new:0), in_progress:0.
    Jun 30 09:55:42.294 dbg Going in poll mode

  • The EP is reporting a change in the status. So its a EP issue in the first place. Check the heartbeat.log on the endpoint in the installation directory if you can find a reason for the status change. 

    __________________________________________________________________________________________________________________

  • Hi

    can you precise the command?? Thank you

  •  I suggest you hide some details in your posts. for example, I'd hide the endpoint and customer ID's.

    Maybe bad guys can use them for whatever bad things.

  • You should investigate the heartbeat.log on the client itself. You had the log in the initial post. https://support.sophos.com/support/s/article/KB-000038787?language=en_US

    __________________________________________________________________________________________________________________

Reply Children
  • to 's suggestion about the console manipulations.

    this is our current setting about synchronized-security:

    console> system synchronized-security delay-missing-heartbeat-detection show
    60
    console> system synchronized-security suppress-missing-heartbeat-to-central show
    0
    
    
    

    and I increased it both by 30 sec each now

    console> system synchronized-security delay-missing-heartbeat-detection set seconds 90
    { "missing_hb_duration": 90 }
    console> system synchronized-security suppress-missing-heartbeat-to-central set seconds 30
    { "suppress_missing_hb_to_central": 30 }
    

  • Keep me inform about the result :)

  • With TCPDUMP what i have on the port 8347

    Why Amazonaws?? Because it's use the amazon storage ?

    10:22:48.974103 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [.], ack 2921, win 513, length 0
    10:22:49.031050 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [.], ack 4097, win 508, length 0
    10:22:49.031056 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [P.], seq 4097:5163, ack 240, win 237, length 1066
    10:22:49.043948 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [P.], seq 240:1545, ack 5163, win 513, length 1305
    10:22:49.044341 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [P.], seq 5163:5214, ack 1545, win 260, length 51
    10:22:49.048782 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [P.], seq 1545:1586, ack 5214, win 513, length 41
    10:22:49.089257 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [.], ack 1586, win 260, length 0
    10:22:49.101260 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.63578: Flags [F.], seq 31, ack 1, win 1472, length 0
    10:22:49.173791 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [P.], seq 1586:1844, ack 5214, win 513, length 258
    10:22:49.173810 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [.], ack 1844, win 280, length 0
    10:22:49.173982 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [P.], seq 5214:5288, ack 1844, win 280, length 74
    10:22:49.177236 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [P.], seq 1844:1879, ack 5288, win 512, length 35
    10:22:49.217257 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [.], ack 1879, win 280, length 0
    10:22:49.276024 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [P.], seq 1879:1933, ack 5288, win 512, length 54
    10:22:49.276029 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [.], ack 1933, win 280, length 0
    10:22:49.276129 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [P.], seq 5288:5321, ack 1933, win 280, length 33
    10:22:49.334639 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [.], ack 5321, win 512, length 0
    10:22:49.393281 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.63578: Flags [FP.], seq 0:31, ack 1, win 1472, length 31
    10:22:49.969260 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.63578: Flags [FP.], seq 0:31, ack 1, win 1472, length 31
    10:22:51.121262 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.63578: Flags [FP.], seq 0:31, ack 1, win 1472, length 31
    10:23:00.241514 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [P.], seq 1933:2005, ack 5321, win 512, length 72
    10:23:00.241654 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [P.], seq 5321:5354, ack 2005, win 280, length 33
    10:23:00.334313 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [P.], seq 1933:2005, ack 5321, win 512, length 72
    10:23:00.334319 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [.], ack 2005, win 280, options [nop,nop,sack 1 {1933:2005}], length 0
    10:23:00.388964 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [.], ack 5354, win 512, length 0
    10:23:04.066214 Port1, IN: IP CTX0006.francois.int.49690 > ec2-52-5-76-173.compute-1.amazonaws.com.8347: Flags [P.], seq 2005:2046, ack 5354, win 512, length 41
    10:23:04.066240 Port1, OUT: IP ec2-52-5-76-173.compute-1.amazonaws.com.8347 > CTX0006.francois.int.49690: Flags [.], ack 2046, win 280, length 0

  • Sophos uses a WAN IP for Heartbeat to keep sure, it always hits the Firewall (default gateway). 52.5. 76.173 See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SecurityHearbeat.html#:~:text=Communication%20channel,76.173%20on%20port%208347.

    Its actually not the a AWS Ressource, instead its the firewall, acting like this IP. 

    __________________________________________________________________________________________________________________

  • Now for unknown reason it's green... i don't change anything... pff

  • I guess, the user started using the machine at 9:55

  • getting an other machine at risk after the timing changes made above so maybe useless.

    2021-06-29 16:44:52 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <1> -> <3>
    2021-06-30 10:37:48 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <3> -> <1>
    2021-06-30 10:37:48 INFO EpStateListBroker.cpp[17627]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx(xxx.xxx.xxx.93)
    2021-06-30 10:37:49 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:38:09 INFO SacProcessor.cpp[17627]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    2021-06-30 10:38:30 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:38:34 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:39:18 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <1> -> <5>
    2021-06-30 10:39:19 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <5> -> <1>
    2021-06-30 10:39:19 INFO EpStateListBroker.cpp[17627]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx(xxx.xxx.xxx.93)
    2021-06-30 10:39:19 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:39:20 INFO SacProcessor.cpp[17627]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    2021-06-30 10:39:20 INFO SacProcessor.cpp[17627]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    2021-06-30 10:39:30 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:39:34 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:40:30 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:40:34 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:41:31 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:41:34 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:41:49 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <1> -> <5>
    2021-06-30 10:41:50 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <5> -> <1>
    2021-06-30 10:41:50 INFO EndpointStorage.cpp[17627]:132 endpoint_maclist_cb - Mac list gets replaced for uuid <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>
    2021-06-30 10:41:50 INFO EpStateListBroker.cpp[17627]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx(xxx.xxx.xxx.93)
    2021-06-30 10:41:55 INFO SacProcessor.cpp[17627]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    2021-06-30 10:41:55 INFO SacProcessor.cpp[17627]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    2021-06-30 10:42:04 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:42:20 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <1> -> <5>
    2021-06-30 10:42:22 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <5> -> <1>
    2021-06-30 10:42:22 INFO EpStateListBroker.cpp[17627]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx(xxx.xxx.xxx.93)
    2021-06-30 10:42:31 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:42:35 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:43:27 INFO SacProcessor.cpp[17627]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    2021-06-30 10:43:31 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:43:34 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:44:31 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:44:34 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:45:31 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:45:35 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 3
    2021-06-30 10:46:28 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <1> -> <5>
    2021-06-30 10:47:11 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <5> -> <1>
    2021-06-30 10:47:11 INFO EndpointStorage.cpp[17627]:132 endpoint_maclist_cb - Mac list gets replaced for uuid <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>
    2021-06-30 10:47:11 INFO EpStateListBroker.cpp[17627]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx(xxx.xxx.xxx.93)
    2021-06-30 10:47:25 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:47:41 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <1> -> <5>
    2021-06-30 10:47:43 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <5> -> <1>
    2021-06-30 10:47:43 INFO EpStateListBroker.cpp[17627]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx(xxx.xxx.xxx.93)
    2021-06-30 10:47:53 INFO SacProcessor.cpp[17627]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    2021-06-30 10:47:55 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    2021-06-30 10:49:13 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <1> -> <5>
    2021-06-30 10:49:14 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <5> -> <1>
    2021-06-30 10:49:14 INFO EpStateListBroker.cpp[17627]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx(xxx.xxx.xxx.93)
    2021-06-30 10:49:25 INFO ModuleStatus.cpp[17627]:138 processMessageStatus - Status request received from endpoint: xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx (xxx.xxx.xxx.93) health: 1
    

    and again I can see the strange HB status of 5

    2021-06-30 10:42:20 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <1> -> <5>
    2021-06-30 10:42:22 INFO EndpointStorage.cpp[17627]:114 endpoint_connectivity_cb - Connectivity changed for <xxxxxxxxxxxx-e49a-42ea-add5-xxxxxxxxxxxx>: <5> -> <1>

    I asked about it here https://community.sophos.com/sophos-xg-firewall/f/discussions/128368/heartbeat-connectivity-change-codes

    and  wrote about some kind of TLS teardown. Whatever this may be.

  • Can you check the time of the clients? Maybe its to off to the time set on XG. 

    __________________________________________________________________________________________________________________

  • What's TLS teardown?! Seems not to be the same problem for me

  • Can you check the time of the clients?

    will try to get that information.