This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 keeps emailing me about being out of licenses

I don't know how long this has been going on since my email server stopped sending me emails from my appliance but once I fixed it, I get emails saying the following.

This email was sent by your Sophos UTM software to notify
you that you have exceeded 110% of the user count for your license!

Licensed Users/IPs: 50
Counted  Users/IPs: 272

All additional users/ips except the ones listed below will be blocked.
A 10% tolerance has already been deducted.

Please contact your Sophos Partner or Sophos to upgrade your license.

-------------------

here is the deal. I only have around 5 IP's/devices on the subnet it's complaining about but the attached report shows tons if IP's on that subnet.

that subnet has a single AP hanging off of it with only 5-6 wireless devices on it (google homes, an alexa and 3 android phones). I've changed the SSID and also had my kids phones reset. I was thinking it may be a virus but at this point, I'm not sure what's going on.

I also don't see any activity from those IP's and they are not pingable.

Any idea on how to see what's going on?

what logs can I find these in? I haven't found any evidence in logs yet. I'd like to find the MAC address or something. Nothing in DHCP or DNS.

If I reboot the appliance, the count goes away but it just comes back after a few hours.

Please... if someone can lead me in the right direction, that would be great. 

I've read and followed the Rulz already a few times...

Ed



This thread was automatically locked due to age.
Parents
  • Ed, my guess is that you have something that's running a scan of your subnet - disable that scan and you should be fine.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, is there a way to tell the source or MAC from the UTM9 logs? If so, which log should I start with? I don't have any intentional scans running so if it is a scan, I need to find it.

     

    It's also not all IP's Kind of random and scattered and out of order. I've also sorted them and it isn't all IP's. My fear is that it's a virus or something. Getting the MAC that is causing this would help.

     

    Here is an example:

    192.168.1.100
    192.168.1.103
    192.168.1.127
    192.168.1.133
    192.168.1.138
    192.168.1.145
    192.168.1.155
    192.168.1.157
    192.168.1.163
    192.168.1.166
    192.168.1.169
    192.168.1.170
    192.168.1.171
    192.168.1.174
    192.168.1.175
    192.168.1.178

    Ed

  • I don't know of any log to look at, but you can "listen" for ARP requests with the following (assuming eth0 is your LAN):

    tcpdump -n -i eth0 |grep 'who-has'

    That will show you both the requested IP and the requestor.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I don't know of any log to look at, but you can "listen" for ARP requests with the following (assuming eth0 is your LAN):

    tcpdump -n -i eth0 |grep 'who-has'

    That will show you both the requested IP and the requestor.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data