Thread Info
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 15444 views
  • Users 0 members are here
Options
Suggested

Security Heartbeat not working

manlius-ny

I'm running a fresh installation in a VMWare environment.  A Windows 8.1 and Windows Server 2012R2 device are both behind the firewall.  Both of these devices are running Sophos Central Endpoint\Server protection and heartbeat is active.  The firewall is registered in the same Central account as the devices.

On the endpoint I'm getting the following in the heartbeat.log file:

2017-09-13T18:54:24.215Z [ 2756] INFO RequestSender::SendRequest Sending login request.
2017-09-13T18:54:24.215Z [ 2756] INFO RequestSender::SendRequest Sending network request. Active Interfaces: MAC: D4:BE:D9:11:40:97 - INET: 10.10.11.100 - INET6:
2017-09-13T18:54:24.215Z [ 2756] INFO RequestSender::SendRequest Sending status request. Current status is -> health: Good(1) service: Good(1) threat: Good(1)
2017-09-13T19:00:28.361Z [ 2756] INFO RetryCalculator::Notify Connection closed (network error).
2017-09-13T19:00:50.404Z [ 2756] INFO RetryCalculator::Notify Connection failed.
2017-09-13T19:00:50.404Z [ 2756] INFO RetryCalculator::Notify Connection re-establish delay value is now 15 seconds
2017-09-13T19:02:17.696Z [ 2756] INFO RetryCalculator::Notify Connection succeeded.
2017-09-13T19:02:17.696Z [ 2756] INFO RetryCalculator::Notify Connection re-establish delay value is now 1 seconds

Nothing is showing up in the heartbeat log on the firewall.

Security Heartbeat is working fine on all of my other XG devices.

Any ideas what might be causing this behavior with v17 Beta 1?

  • I'm also seeing the following in the heartbeatd.log file on the firewall:

    2017-09-15 13:30:45 ERROR CertificateHandler.cpp[4934]:88 updateFingerprints - SQL error: no such table: EP_Certificates

  • Also, it might be a different issue but I suspect it is connected--Synchronized Application Control is not discovering any Applications in use by the devices behind the firewall.

  • in reply to manlius-ny

    Hello manlius-ny,

    how old is your Sophos Central account? I had the same problem and due to an expired internal Sophos Central account certificate.

    Another condition for the correct operation of Security Heartbeat and Synchronized Application Control is participation in Early Access Programs, specifically Intercept X New Features. Then Security Heartbeat and Synchronized Application work reliably. 

    Regards

    alda

  • in reply to alda

    Alda, thanks for the reply.  Other XG firewalls in the same central account register HB without issue.  The expired internal cert would affect all firewalls, so that likely isn't the issue.  I've got the Intercept X EAP active on the Windows 8.1 client behind this particular firewall.

     

    Keep this ideas coming--I'd like to get this solved.

  • in reply to manlius-ny

    Hello manlius-ny,

    ok, its solved. Did you registered your XG v17 firewall with the main Sophos Central account  ( with which your Sophos Central account was created ) to your Sophos Central account and do you see this XG Firewall in the Global Setting - Registered Firewall Appliances as Active?

    Sorry, there are several conditions that need to be met to make Security Heartbeat and Synchronized Application Control fully functional.

    Regards

    alda

     

    P.S. What version do you see in Sophos Central Client under About? You must have Core Agent 11.6.1 and Sophos Intercept X 3.7.0. At least.

  • in reply to manlius-ny

    Hi manlius-ny,

     

    try to remove the empty database: /conf/sysfiles/heartbeatd/certificate_store.db and wait some minutes to be synced again. After some time a new databse should be created with all Certificates in it so Endpont can connect.

    If not, try to provide any heartbeat.logs on SFOS.

     

    Best Regards,

    redpfaf

  • in reply to redpfaff

    Deleted the certificate_store.db and it was recreated automatically.  That didn't solve the problem.

    The heartbeatd.log from the firewall contains many lines similar to this:

    2017-09-15 15:44:35 INFO HBSessionHandler.cpp[4934]:89 removeDirtySessions - Number of sessions: 0
    2017-09-15 15:44:35 WARN HBSession.cpp[4934]:328 bufferDisconnectEvent - Incoming connection from 10.10.11.26 failed. SSL error: SSL routines:ssl3_get_client_certificate certificate verify failed

  • in reply to manlius-ny

    Oh, it solves the Issue with the database as the table EP_Certificates was not there. :)

    Now the Issue is that verification is failing. Can you check ep_cert.crt validation date with openssl?

    Openssl - noout - text - in ep_cert.crt - enddate to be Sure that the cert is still valid. As this could be one of the Problems.

    redpfaff

  • in reply to redpfaff

    Sorry, it is openssl x509 - noout.... :)

Unfiltered HTML