Heartbeat denied on IPSec connections

Our Security heartbeat certificate was renewed over night, so could that have caused this issue?

The users get this error when they try to browse some sites:

Internet access blocked
You cannot access the Internet because the security status of your device cannot be confirmed.
Reason for blocking this site
Your device does not meet the security heartbeat requirements for this network.

we're receiving a bunch of client updates today causing lots of computers to lose their heartbeat shorty and so getting denied some firewall rules.

maybe that's the same at your side?

Check Central events and filter for: Reboot to complete update; computer stays protected in the meantime

btw. This caused my computer to show two sophos shields in my tray bar on windows so I guess it was a core agent update which I think is true.

Just checked my eventlog of windows and it looks like many sophos components have been updated over time period of about 15 minutes.

Hi LHerzog,  thanks for your reply!

Yeah I was hoping a reboot would fix it as some of our clients reported as requiring it but a reboot did not help

I have found the fiewall that is blocking the connections as I got  it working by disabling "Block clients with no heartbeat" on the rule

I would start checking the heartbeatlog (C:\ProgramData\Sophos\heartbeat\logs) on the clients and see what the XG is seeing from the client in it's heartbeatd.log. You know, that the heartbeat traffic is mandatory to go through the XG? It must not go from the clients directly to the heartbeat IP.

I get access denited when I try to open the Heartbeat folder with a local admin account. I tried to reset the permissions but that also failed

disable tamper protection first (need unlock code from Central)

also, from the IPSec Client, do a tracert to the HB IP

is it going through the Tunnel to the XG or is it going directly into WAN?

Disabling worked, these are the logs:

FYI I have disabled the firewall rule requiring a heartbeat, as users needed to connect.

These logs appear to suggest it is connecting to the hb IP

2021-11-18T10:21:51.200Z [ 4576: 7844] A ----------------------------------------------------------------------------------------------------
2021-11-18T10:21:51.201Z [ 4576: 7844] A Starting Heartbeat version 1.15.781.0
2021-11-18T10:21:51.202Z [ 4576: 7844] A ----------------------------------------------------------------------------------------------------
2021-11-18T10:21:51.213Z [ 4576: 8056] A No configuration available to establish Heartbeat connection.
2021-11-18T10:30:20.685Z [ 4660: 5452] A ----------------------------------------------------------------------------------------------------
2021-11-18T10:30:20.686Z [ 4660: 5452] A Starting Heartbeat version 1.15.781.0
2021-11-18T10:30:20.687Z [ 4660: 5452] A ----------------------------------------------------------------------------------------------------
2021-11-18T10:30:20.696Z [ 4660: 6256] A No configuration available to establish Heartbeat connection.
2021-11-18T10:30:32.710Z [ 4660: 6244] A The connection configuration has changed. Reloading settings.
2021-11-18T10:30:32.717Z [ 4660: 6244] A The connection configuration has changed. Reloading settings.
2021-11-18T10:31:11.773Z [ 4660: 6256] A Connection failed.
2021-11-18T10:33:15.154Z [ 4660: 6256] A Connection succeeded.
2021-11-18T10:33:15.156Z [ 4660: 6256] A Connected to my ip' at IP address 52.5.76.173 on port 8347
2021-11-18T10:33:15.179Z [ 4660: 6260] A Inactive Interfaces changed.
2021-11-18T10:33:15.179Z [ 4660: 6260] A Active Interfaces:

2021-11-18T10:33:15.180Z [ 4660: 6256] A Sending network status
2021-11-18T10:33:15.181Z [ 4660: 6256] A The network status has changed, the Firewall may disconnect.
2021-11-18T10:33:15.274Z [ 4660: 6256] A Received request to enable enhanced application control
2021-11-18T10:33:15.275Z [ 4660: 6256] A Sending login status.
2021-11-18T10:33:15.276Z [ 4660: 6256] A User: myusername
2021-11-18T10:33:21.029Z [ 4660: 6256] A Sending health status: {"admin":1,"health":1,"service":1,"threat":1}
2021-11-18T10:34:09.449Z [ 4660: 6256] A Connection closed (network error).
2021-11-18T10:34:31.534Z [ 4660: 6256] A Connection failed.
2021-11-18T10:34:46.696Z [ 4660: 6256] A Connection succeeded.
2021-11-18T10:34:46.698Z [ 4660: 6256] A Connected to 'my IP3' at IP address 52.5.76.173 on port 8347
2021-11-18T10:34:46.725Z [ 4660: 6256] A Sending network status
2021-11-18T10:34:46.726Z [ 4660: 6256] A The network status has changed, the Firewall may disconnect.
2021-11-18T10:34:46.727Z [ 4660: 6256] A Connection closed (network error).
2021-11-18T10:34:47.872Z [ 4660: 6256] A Connection succeeded.
2021-11-18T10:34:47.874Z [ 4660: 6256] A Connected to 'myip' at IP address 52.5.76.173

I get a few of these logs then this is the last entry:

2021-11-18T10:35:09.093Z [ 4660: 6256] A Sending login status.
2021-11-18T10:35:09.094Z [ 4660: 6256] A User: myusername
2021-11-18T10:35:21.266Z [ 4660: 6256] A Sending health status: {"admin":1,"health":1,"service":1,"threat":1}
2021-11-18T10:36:05.049Z [ 4660: 6256] A Received request to disable enhanced application control for C:\program files\google\chrome\application\chrome.exe
2021-11-18T10:36:05.078Z [ 4660: 6256] A Received request to disable enhanced application control for C:\program files\google\chrome\application\chrome.exe
2021-11-18T10:36:37.790Z [ 4660: 5452] A ----------------------------------------------------------------------------------------------------
2021-11-18T10:36:37.791Z [ 4660: 5452] A Stopped Heartbeat
2021-11-18T10:36:37.792Z [ 4660: 5452] A ----------------------------------------------------------------------------------------------------
2021-11-18T10:36:39.629Z [ 1304: 5316] A ----------------------------------------------------------------------------------------------------
2021-11-18T10:36:39.630Z [ 1304: 5316] A Starting Heartbeat version 1.15.781.0
2021-11-18T10:36:39.630Z [ 1304: 5316] A ----------------------------------------------------------------------------------------------------
2021-11-18T10:36:39.770Z [ 1304:13604] A Connection succeeded.
2021-11-18T10:36:39.771Z [ 1304:13604] A Connected to 'mpip' at IP address 52.5.76.173 on port 8347
2021-11-18T10:36:39.792Z [ 1304: 8680] A Inactive Interfaces changed.
2021-11-18T10:36:39.793Z [ 1304: 8680] A Active Interfaces:

2021-11-18T10:36:39.794Z [ 1304:13604] A Sending network status
2021-11-18T10:36:39.795Z [ 1304:13604] A The network status has changed, the Firewall may disconnect.
2021-11-18T10:36:39.926Z [ 1304:13604] A Received request to enable enhanced application control
2021-11-18T10:36:39.928Z [ 1304:13604] A Sending login status.
2021-11-18T10:36:39.929Z [ 1304:13604] A User:myusername
2021-11-18T10:36:47.826Z [ 1304:13604] A Received request to disable enhanced application control for C:\program files\google\chrome\application\chrome.exe
2021-11-18T10:36:47.853Z [ 1304:13604] A Received request to disable enhanced application control for C:\program files\google\chrome\application\chrome.exe
2021-11-18T10:36:51.551Z [ 1304:13604] A Sending health status: {"admin":1,"health":1,"service":1,"threat":1}

this looks good - the machine is connected.

2021-11-18T10:36:51.551Z [ 1304:13604] A Sending health status: {"admin":1,"health":1,"service":1,"threat":1}

Does it arrive at XG?

What is the XG showing in heartbeatd.log for that exact time for the IP 10.0.5.2 or 192.168.1.79? Check via CLI

Also checl live log:

what about the tracert mentioned above?

Right, not sure what has changed but I re-checked 'Block clients with no heartbeat' on my IPSec FW rules and it is now working fine.