This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"License usage: EXCEEDING 110% OF USER COUNT on Sophos UTM"

I'm really confused. I just received this email stating i have like 192 devices on my network.. when i don't? DHCP on my 2012 r2 server shows like 20 IP's were to handed out and most of the time they are not even on. Message in the email says

"This email was sent by your Sophos UTM software to notify
you that you have exceeded 110% of the user count for your license!

Licensed Users/IPs: 50
Counted  Users/IPs: 192

All additional users/ips except the ones listed below will be blocked.
A 10% tolerance has already been deducted."

 

Can someone explain this to me? Because DHCP most definitely hasn't handed out that many IPs nor do I have that many users.



This thread was automatically locked due to age.
Parents
  • I have seen this when scanning a local subnet from a Windows 10 PC.  Ping requests to non-responsive IP addresses on the same segment appear to get routed to the gateway IP address, which causes the UTM to see traffic to non-existant devices.  Never seen any other OS behave that way.

  • Steve, if you have a suggestion for them, I'm sure they'll be glad to hear it.

    In this case, what's happening is not at the IP level, it's at Layer 2.  The scanning PC sees that the IP to scan is in its local subnet, so it has its NIC send out an ARP request "Who has 172.22.1.17?"  That goes to every device in the Ethernet segment, including the UTM.  This is what is counted.

    Pings to IPs outside of the scanner's subnet go to the PC's default gateway - the Internal interface of the UTM.  Those are not counted.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Steve, if you have a suggestion for them, I'm sure they'll be glad to hear it.

    In this case, what's happening is not at the IP level, it's at Layer 2.  The scanning PC sees that the IP to scan is in its local subnet, so it has its NIC send out an ARP request "Who has 172.22.1.17?"  That goes to every device in the Ethernet segment, including the UTM.  This is what is counted.

    Pings to IPs outside of the scanner's subnet go to the PC's default gateway - the Internal interface of the UTM.  Those are not counted.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • The only suggestion I have would be to not scan a local subnet from Windows 10 when you have a UTM with a Home Use license, as it will inflate the user count.

    I know how Layer 2 is supposed to work, but that's not what I've seen with Windows 10.  Pings to a non-existent IP address return the following:

    Pinging 192.168.0.4 with 32 bytes of data:
    Reply from 192.168.0.8: Destination host unreachable.   <==my PC
    Reply from 192.168.0.1: Destination host unreachable.   <==my UTM

    And there is a corresponding entry in the firewall log:

    <30>2017:02:08-16:17:57 utm ulogd[30402]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="4" initf="eth0" outitf="eth0" srcmac="xx:e8" dstmac="xx:ba" srcip="192.168.0.8" dstip="192.168.0.4" proto="1" length="60" tos="0x00" prec="0x00" ttl="127" type="8" code="0"

    I believe Windows 10 may have a 'feature' that makes it try to route local traffic if the destination is non-responsive.  I originally thought it was something fishy in my network causing this behavior, as I have never been able to find any other mention, but now I wonder.

    Thanks.    -Steve

  • ARP Proxy on internal interface is disabled, but I get the same result with Windows 10. Strange. Or is this another "feature" of 9.410-6 (Update: NO: It's Win10)

     

    Edit: Windows 10 is sending the Ping request for 192.168.0.7 to the MAC address of the Sophos. Win7 doesn't do that if there is no arp respone.