Client heartbeats from an Agentless session can be difficult to locate in a packet capture. There are two options, both of which require a packet capture taken from the PPS. The first option is to make an informed guess as to which packets are which, or you can decrypt the packet capture and identify the heartbeats that way. Option 1: Best Guess
Look for TLSv1.2 Application Data packets that originate from the client machine and are destined for the PPS.You can modify this WireShark filter for this purpose.
ip.addr==(client IP) && ip.addr==(PPS IP) && tls.record.version == 0x0303Then you want to find multiple packets that are the same size.
In my capture it was only the packets with a length of 67 that originated from the client. These are likely the heartbeats, so I added "frame.len==67 " to my filter and it gave me a list of all the user browser heartbeats. With this information you can begin to determine if the problem is the browser sending heartbeats reliably, the network dropping them, or the PPS not reading them.