Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Licenses do not automatically release after a device becomes inactive (Some kind of device prioritization feature would be even more handy.)
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
The other day, I started receiving calls from employees of a company saying that they were getting a license error when trying to connect to their Kerio VPN. Turns out that they had exceeded the amount of devices allowed for their user level. This struck me as odd, however, since they have 35 actual users but are licensed for 50. Therefore, they should be able to have up to 250 devices sharing the internet connection. Actual devices are somewhere around 100, not counting personal smart phones or tablets. Regardless, a license issue is the LAST thing I ever expected to see, and not allowing legitimate users to connect as a result is unsettling and from an end-user perspective tends to paint a fat streak of ugly all over what is otherwise a remarkably beautiful product.

I opened the "Active Hosts" screen, which showed that they had 251 active hosts. Turns out that most of these were actually expired/outdated connections that were still listed and counting against the available licenses. Furthermore, they still showed as having IP addresses that were phased out several months ago, so apparently Kerio Control is not doing a very good job of automatically purging inactive hosts as expected. In order to resolve the issue so that remote employees could again access their network, I had to restart the firewall mid-day. (There doesn't seem to be any way to clear them out individually so as not to affect all users.)

Since the company has already purchased licenses beyond the technical capacity of their business, asking them to buy more licenses does not seem appropriate. Rather, I opine that if Kerio Control must use a per-user license model, then perhaps it should provide some mechanism in which to prioritize devices so as to prevent employees, customers and other visitors who regularly bring in personal laptops, smartphones, tablets or other devices from inadvertently disrupting core network operations.

Does anyone know of any way to resolve this without having to shutdown, restart, or force log-out all users? Is there something I can do to fix automatic purging of active licenses? In lieu of a prioritization feature, is there another way to block certain hosts in such a manner as to prevent them from using services that consume a license in the first place? Do DNS or DHCP clients count towards the device limits? Or is it just outbound internet devices?

Thanks!

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
That's not entirely accurate. 50 users <= 250 IPs, not 50 users = 250 IPs. You get 5 IPs per user as defined by the configuration. Also, I understand the licensing to allow you to exceed 5 per user, but an entire other user account is consumed (1 user using 6 IPs = 2 users consumed and 10 IPs).

From the sounds of their network design, they need more users. More details would be required to be completely accurate.

Did you check the logs to verify counts?
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
They should have more than plenty of user licenses. After rebooting the box, the bogus clients dropped off the list and the problem went away. I shared the issue because I think it might potentially point to a bug in the software, especially if the expected behavior is that devices fall off the list after so many hours/days of inactivity.

The total number of supposedly active IPs creeps up until it eventually just refuses new connections. Devices that may have only connected for less than 5 minutes back in November, (i.e. Vendor's iPhone) were still counting against the concurrent total in March, etc. By restarting the appliance, Kerio Control purges all of the active connections and then only truly active devices are counted. At any given time, their network should only ever have about 120 - 150 active devices max. With a 50 user license, that should allow for up to 250 networked devices. They don't even have that many network ports! So you can understand why I was quite surprised when it started denying connections all of a sudden.

I now just have them reboot the Kerio appliance once a month to ensure that they don't experience the negative side effects of "IP creep" ever again. So I'm not actively seeking a resolution, rather, I'm just doing my part to help improve the product. Smile

Thanks!
Previous Topic: Slow outgoing vpn after upgrade to control 8
Next Topic: Active Hosts & IP address
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Nov 21 16:55:49 CET 2017

Total time taken to generate the page: 0.00352 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.