"License usage: EXCEEDING 110% OF USER COUNT on Sophos UTM"

look to management / licensing / active IP's

here you should see used IP's from last 7 days.

I looked in there and it's showing Host IPs that do not even exist on my network.

Hi,

did someone do a network scan using the wrong IP range, that will run up your licence count? In fact an IP scan will run your licence account.

I did run an IP scan  with AngryIP on my LAN a day or so ago. I had a feeling that might have been the cause, but I don't know enough about networking and how the UTM works to say that was for sure the cause. 

Basically the UTM count every IP address that it sees and that is what scan is an attempt to locate an address somewhere.

Sean, if you don't mind losing your logs, graphs and reporting data, you can reload from a new ISO and restore a configuration backup.

IMPORTANT: You can restore a 9.408 backup to a 9.409 system, but you cannot restore 9.409 to 9.408.  Be sure you have the right backups and ISO.

Cheers - Bob

I have seen this when scanning a local subnet from a Windows 10 PC.  Ping requests to non-responsive IP addresses on the same segment appear to get routed to the gateway IP address, which causes the UTM to see traffic to non-existant devices.  Never seen any other OS behave that way.

Steve, if you have a suggestion for them, I'm sure they'll be glad to hear it.

In this case, what's happening is not at the IP level, it's at Layer 2.  The scanning PC sees that the IP to scan is in its local subnet, so it has its NIC send out an ARP request "Who has 172.22.1.17?"  That goes to every device in the Ethernet segment, including the UTM.  This is what is counted.

Pings to IPs outside of the scanner's subnet go to the PC's default gateway - the Internal interface of the UTM.  Those are not counted.

Cheers - Bob

The only suggestion I have would be to not scan a local subnet from Windows 10 when you have a UTM with a Home Use license, as it will inflate the user count.

I know how Layer 2 is supposed to work, but that's not what I've seen with Windows 10.  Pings to a non-existent IP address return the following:

Pinging 192.168.0.4 with 32 bytes of data:
Reply from 192.168.0.8: Destination host unreachable.   <==my PC
Reply from 192.168.0.1: Destination host unreachable.   <==my UTM

And there is a corresponding entry in the firewall log:

<30>2017:02:08-16:17:57 utm ulogd[30402]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="4" initf="eth0" outitf="eth0" srcmac="xx:e8" dstmac="xx:ba" srcip="192.168.0.8" dstip="192.168.0.4" proto="1" length="60" tos="0x00" prec="0x00" ttl="127" type="8" code="0"

I believe Windows 10 may have a 'feature' that makes it try to route local traffic if the destination is non-responsive.  I originally thought it was something fishy in my network causing this behavior, as I have never been able to find any other mention, but now I wonder.

Thanks.    -Steve

ARP Proxy on internal interface is disabled, but I get the same result with Windows 10. Strange. Or is this another "feature" of 9.410-6 (Update: NO: It's Win10)

Edit: Windows 10 is sending the Ping request for 192.168.0.7 to the MAC address of the Sophos. Win7 doesn't do that if there is no arp respone.