This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange issue with Security Heartbeat

Hello,

we have noticed a strange issue with Security Heartbeat. Devices often only gain access to the network several minutes after booting. The Heartbeat.log on the endpoint says that the connection initially failed. The heartbeatd.log on the firewall does not contain any recent entries.

Heartbeat.log

2023-02-23T09:36:02.846Z [17344: 8016] A Connection failed.
2023-02-23T09:40:54.412Z [17344: 8016] A Connection succeeded.
2023-02-23T09:40:54.413Z [17344: 8016] A Connected to '81d5633d-0d85-4824-98e4-858c87c7a273' at IP address 52.5.76.173 on port 8347
2023-02-23T09:40:54.413Z [17344: 8016] A Sending network status
2023-02-23T09:40:54.413Z [17344: 8016] A The network status has changed, the Firewall may disconnect.
2023-02-23T09:40:54.415Z [17344: 8016] A Received request to enable enhanced application control
2023-02-23T09:40:54.415Z [17344: 8016] A Sending endpoint state list request
2023-02-23T09:40:54.416Z [17344: 8016] A Sending login status.
2023-02-23T09:40:54.416Z [17344: 8016] A User: USERNAME
2023-02-23T09:40:54.416Z [17344: 8016] A Sending health status: admin=1 health=1 service=1 threat=1 threatService=1
2023-02-23T09:40:54.417Z [17344: 8016] A Received response to endpoint state list request, size: 1
2023-02-23T09:42:00.950Z [17344: 8016] A Received request to disable enhanced application control for C:\program files (x86)\microsoft\edge\application\msedge.exe

heartbeatd.log (there are no newer entries)

[2021-11-30 15:00:20.057] INFO HBSession.cpp[6743]:502 logNewSession - New Session: [172.16.12.74]:8387 connected
[2021-11-30 15:00:20.103] INFO EndpointStorage.cpp[6743]:114 endpoint_connectivity_cb - Connectivity changed for <c25ece7d-a04e-4005-820c-b1a12624518e>: <5> -> <1>
[2021-11-30 15:00:20.103] INFO ModuleSacFirst.cpp[6743]:95 sendEacMessage - send EacSwitchRequest to endpoint (IP=172.16.12.74)
[2021-11-30 15:00:20.106] INFO EpStateListBroker.cpp[6743]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: c25ece7d-a04e-4005-820c-b1a12624518e(172.16.12.74)
[2021-11-30 15:00:23.823] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:00:29.925] INFO ModuleStatus.cpp[6743]:138 processMessageStatus - Status request received from endpoint: c25ece7d-a04e-4005-820c-b1a12624518e (172.16.12.74) health: 1
[2021-11-30 15:01:00.359] INFO SacProcessor.cpp[6743]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <c25ece7d-a04e-4005-820c-b1a12624518e>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
[2021-11-30 15:01:24.061] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:01:27.699] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:07:22.260] INFO GarnerEventReader.cpp[6743]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
[2021-11-30 15:09:04.494] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:13:16.599] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:13:44.482] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:15:17.622] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:15:24.041] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:16:27.738] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:21:25.037] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:26:04.897] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:28:16.624] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:30:17.652] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:30:24.252] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:31:27.788] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:33:45.548] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:38:25.333] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:43:16.648] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:45:17.685] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:45:24.498] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:46:06.073] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:46:27.828] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:50:45.751] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:52:23.285] INFO GarnerEventReader.cpp[6743]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
[2021-11-30 15:58:16.722] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 15:58:26.637] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:00:17.719] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:00:24.741] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:01:27.860] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:03:06.144] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:10:22.523] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:10:47.203] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:13:16.701] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:15:17.752] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:15:24.960] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:15:26.535] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:16:27.904] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:18:41.526] INFO SacProcessor.cpp[6743]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <e97fa787-de12-4693-86dc-6fdbf77e051c>, Application path :C:\134program files (x86)\134microsoft\134edgeupdate\134microsoftedgeupdate.exe
[2021-11-30 16:20:54.552] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:23:07.807] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:25:42.408] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:27:46.955] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:28:16.725] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:29:45.841] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:30:17.778] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:30:25.179] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:31:27.940] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:32:08.488] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:34:20.903] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:35:28.345] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:37:25.183] INFO GarnerEventReader.cpp[6743]:129 acceptConnectionHandler - Garner plugin connected. Ready to receive garner events.
[2021-11-30 16:40:07.373] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:41:06.825] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:43:16.741] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:45:17.808] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:45:25.411] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:46:27.977] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:47:48.809] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:52:27.788] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 16:58:16.761] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 17:00:06.391] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 17:00:09.333] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 17:00:17.846] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 17:00:25.617] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 17:00:44.444] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System
[2021-11-30 17:01:14.856] INFO EndpointStorage.cpp[6743]:114 endpoint_connectivity_cb - Connectivity changed for <56a453ce-bbef-4fab-b721-d8435c1ef48b>: <1> -> <3>
[2021-11-30 17:01:44.448] INFO EndpointStorage.cpp[6743]:114 endpoint_connectivity_cb - Connectivity changed for <c25ece7d-a04e-4005-820c-b1a12624518e>: <1> -> <3>
[2021-11-30 17:04:48.263] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System[2021-11-30 17:04:48.263] WARN Path.cpp[6743]:68 getExecutableFilename - Parsing executable filename failed. Falling back to full path: System

How to fix this problem?

Best regards

Gerhard



This thread was automatically locked due to age.
Parents Reply Children
  • and recently, we're also having issues with clients that cannot connect either because of missing user authentication passed to the firewall or the heartbeat is not updated on the firewall. They sometimes sit there 15 minutes and cannot work. sometimes it works after a while or several reboots.

    example: Lenovo Yoga 9 machine connected to a thunderbolt docking station. dock is on LAN.

    User cannot work due to missing heartbeat.

    guess to wich device this MAC belongs:

    023-05-19 12:11:09.484Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:11:46.713Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:11:47.761Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:11:49.761Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:11:53.746Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:12:01.747Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:12:17.845Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:12:18.857Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:13:03.285Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:13:04.233Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:13:04.345Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:13:05.285Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:13:06.249Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:13:07.257Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:13:10.361Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown
    [2023-05-19 12:13:11.237Z] WARN GarnerEventHandler.cpp[9271]:45 update - mac address 04:7b:cb:7f:3e:cb is unknown

    client hb log

    2023-05-19T12:13:06.215Z [ 5388: 6460] A Sending network status
    2023-05-19T12:13:06.215Z [ 5388: 6460] A The network status has changed, the Firewall may disconnect.
    2023-05-19T12:13:06.215Z [ 5388: 6460] A Connection closed (network error).
    2023-05-19T12:13:07.285Z [ 5388: 6460] A Connection succeeded.
    2023-05-19T12:13:07.285Z [ 5388: 6460] A Connected to 'ed98a5bf-ede8-4fbd-xxxx-xxxxxxxxxxxxxxxxx' at IP address 52.5.76.173 on port 8347
    2023-05-19T12:13:07.285Z [ 5388: 6460] A Sending network status
    2023-05-19T12:13:07.285Z [ 5388: 6460] A The network status has changed, the Firewall may disconnect.
    2023-05-19T12:13:07.286Z [ 5388: 6460] A Connection closed (network error).
    2023-05-19T12:13:08.356Z [ 5388: 6460] A Connection succeeded.
    2023-05-19T12:13:08.356Z [ 5388: 6460] A Connected to 'ed98a5bf-ede8-4fbd-xxxx-xxxxxxxxxxxxxxxxx' at IP address 52.5.76.173 on port 8347
    2023-05-19T12:13:08.356Z [ 5388: 6460] A Sending network status
    2023-05-19T12:13:08.356Z [ 5388: 6460] A The network status has changed, the Firewall may disconnect.
    2023-05-19T12:13:08.357Z [ 5388: 6460] A Connection closed (network error).
    2023-05-19T12:13:09.416Z [ 5388: 6460] A Connection succeeded.
    2023-05-19T12:13:09.417Z [ 5388: 6460] A Connected to 'ed98a5bf-ede8-4fbd-xxxx-xxxxxxxxxxxxxxxxx' at IP address 52.5.76.173 on port 8347
    2023-05-19T12:13:09.417Z [ 5388: 6460] A Sending network status
    2023-05-19T12:13:09.417Z [ 5388: 6460] A The network status has changed, the Firewall may disconnect.
    2023-05-19T12:13:09.418Z [ 5388: 6460] A Connection closed (network error).
    2023-05-19T12:13:10.476Z [ 5388: 6460] A Connection succeeded.
    2023-05-19T12:13:10.476Z [ 5388: 6460] A Connected to 'ed98a5bf-ede8-4fbd-xxxx-xxxxxxxxxxxxxxxxx' at IP address 52.5.76.173 on port 8347
    2023-05-19T12:13:10.476Z [ 5388: 6460] A Sending network status
    2023-05-19T12:13:10.476Z [ 5388: 6460] A The network status has changed, the Firewall may disconnect.
    2023-05-19T12:13:10.521Z [ 5388: 6460] A Sending endpoint state list request
    2023-05-19T12:13:10.521Z [ 5388: 6460] A Sending login status.
    2023-05-19T12:13:10.521Z [ 5388: 6460] A User: removedByLherzog
    2023-05-19T12:13:10.521Z [ 5388: 6460] A Sending health status: admin=1 health=1 service=1 threat=1 threatService=1
    2023-05-19T12:13:19.695Z [ 5388: 6460] A Sending network status
    2023-05-19T12:13:19.695Z [ 5388: 6460] A The network status has changed, the Firewall may disconnect.
    2023-05-19T12:13:19.696Z [ 5388: 6460] A Connection closed (network error).
    2023-05-19T12:13:20.773Z [ 5388: 6460] A Connection succeeded.
    2023-05-19T12:13:20.773Z [ 5388: 6460] A Connected to 'ed98a5bf-ede8-4fbd-xxxx-xxxxxxxxxxxxxxxxx' at IP address 52.5.76.173 o

  • What i dont understand - based of your logs - Why does the network status always change? Are you using a notebook with docking station? 

    __________________________________________________________________________________________________________________

  • I don't know why this is logged within seconds. Yes, wrote that. Thunderbolt dock with LAN. The Yoga itself only has WiFi.

    This is a log snip from the firewall before it succeeds to establish HB:

    [2023-05-19 12:12:49.388Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:50.444Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:51.491Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:52.551Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:53.640Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:54.697Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:55.748Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:56.789Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:57.825Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:58.864Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:12:59.901Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:00.936Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:01.971Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:03.043Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:04.070Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:05.145Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:06.216Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:07.286Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:08.357Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:09.418Z] WARN HBSessionHandler.cpp[9271]:140 findPinnedEndpointIdentity - session from endpoint rejected, because the endpoint ID already exists: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b
    [2023-05-19 12:13:09.424Z] WARN ModuleMessageHub.cpp[9271]:45 cleanupMsgTimerExpired - unanswered request with id 183611 from endpoint with uuid ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b timed out
    [2023-05-19 12:13:09.941Z] INFO EndpointStorage.cpp[9271]:119 endpoint_connectivity_cb - Connectivity changed for <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>: <1> -> <3>
    [2023-05-19 12:13:10.477Z] INFO EndpointStorage.cpp[9271]:119 endpoint_connectivity_cb - Connectivity changed for <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>: <3> -> <2>
    [2023-05-19 12:13:10.478Z] INFO EndpointStorage.cpp[9271]:151 endpoint_maclist_cb - Mac list gets replaced for uuid <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>
    [2023-05-19 12:13:10.523Z] INFO ModuleStatus.cpp[9271]:137 processMessageStatus - Status request received from endpoint: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b (172.16.xxx.xxx) health: 1
    [2023-05-19 12:13:19.697Z] INFO EndpointStorage.cpp[9271]:119 endpoint_connectivity_cb - Connectivity changed for <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>: <2> -> <5>
    [2023-05-19 12:13:20.774Z] INFO EndpointStorage.cpp[9271]:119 endpoint_connectivity_cb - Connectivity changed for <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>: <5> -> <1>
    [2023-05-19 12:13:20.774Z] INFO EndpointStorage.cpp[9271]:151 endpoint_maclist_cb - Mac list gets replaced for uuid <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>
    [2023-05-19 12:13:20.775Z] INFO EpStateListBroker.cpp[9271]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b(172.16.xxx.xxx)
    [2023-05-19 12:13:20.775Z] INFO ModuleStatus.cpp[9271]:137 processMessageStatus - Status request received from endpoint: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b (172.16.xxx.xxx) health: 1
    [2023-05-19 12:13:21.125Z] WARN GarnerEventHandler.cpp[9271]:55 update - got missing heartbeat notification from garner for endpoint ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b which is not in lost state
    [2023-05-19 12:13:30.574Z] INFO SacProcessor.cpp[9271]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>, Application path :C:\134program files\134mozilla firefox\134firefox.exe
    [2023-05-19 12:13:40.384Z] INFO SacProcessor.cpp[9271]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    [2023-05-19 12:13:40.384Z] INFO SacProcessor.cpp[9271]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>, Application path :C:\134program files (x86)\134microsoft\134edge\134application\134msedge.exe
    [2023-05-19 12:13:49.712Z] INFO EndpointStorage.cpp[9271]:119 endpoint_connectivity_cb - Connectivity changed for <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>: <1> -> <5>
    [2023-05-19 12:13:50.737Z] INFO EndpointStorage.cpp[9271]:119 endpoint_connectivity_cb - Connectivity changed for <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>: <5> -> <1>
    [2023-05-19 12:13:50.737Z] INFO EndpointStorage.cpp[9271]:151 endpoint_maclist_cb - Mac list gets replaced for uuid <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>
    [2023-05-19 12:13:50.787Z] INFO EpStateListBroker.cpp[9271]:56 markEndpointForUpdates - Endpoint marked for receiving Stonewall updates: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b(172.16.xxx.xxx)
    [2023-05-19 12:13:50.788Z] INFO ModuleStatus.cpp[9271]:137 processMessageStatus - Status request received from endpoint: ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b (172.16.xxx.xxx) health: 1
    [2023-05-19 12:15:14.170Z] INFO SacProcessor.cpp[9271]:64 discardApp - Sent switchOffConnectionInfo request to endpoint: <ca529385-4049-xxxx-xxxxxxxxxxxxxxx5b>, Application path :C:\134program files\134mozilla firefox\134firefox.exe
    

  • I am pretty sure, you do not have to check the firewall in this scenario. More interesting is the Endpoint. 

    Check the Sophos Endpoint logs and maybe expand the search into Microsoft Windows event logs. At this time, something is happening. 

    __________________________________________________________________________________________________________________

  • we heave so much support with heartbeat currently, I suggest, Sophos changes the design of the default block page.