IPv6 admin login constantly returns to "You cannot login unless logout another user first."

[jorhett]

I've been seeing a problem for a couple of years now where every 30 seconds or so I get tossed to the screen that says

> You cannot login unless logout another user first.

Since I'm always the only one logged in, I hit Back and continue on my business. Since I don't login often, and not for long, I've been putting up with this. It's been going on since at least the shift to 386 and continued with 387 and also with 388. So tonight I started debugging it.

I followed advice here and used these commands to clear all the values prior to logging in before a set of tests:

> nvram unset login_ip_str
> nvram unset login_timestamp
> nvram unset login_ip

Tests have confirmed that it doesn't matter if I use the dns name or the IP address, it only matters which protocol is being used. If I change the DNS name to only return an A record, or go directly to the IPv4 address, this problem disappears. If I go to the IPv6 address, or go to the exact same DNS name (after clearing dns cache of course) that returns an AAAA record then exactly 30 seconds after login I get redirected to the "logout another user" page.

Before anyone says "only use IPv4" -- that's not plausible for me. I work on dual stack services all day. IP traffic entering/leaving my house has been over 50% for a decade, and it's nearing 98% these days. In fact, I only have IPv4 on one local segment and I want to leave disable that and leave it on only for Guest network... and you can't login to admin from a Guest network.

 

[L&LD]

What router are you using? What specific firmware? Which router had 387.xx level firmware?

Have you tried a different browser? Have you disabled all extensions? Have you tried logging in, with 'InPrivate' mode (or the closest match to the browser you're using)?

What features and options do you have enabled on your router? What scripts?

As Asus is using primarily an IPv4 base for its internal workings, the easiest is to use the IPv4 address of the router and, as you state, the problem disappears.

I don't see too much of an (Asus/RMerlin) issue here. If there is a method that works, use that. If another way works unreliably, don't use that.

This isn't a Windows-based system that has multiple ways of doing the same thing.

 

[jorhett]

What router are you using? What specific firmware? Which router had 387.xx level firmware?

Sorry, I meant 386.7.2 not 387. It's been happening a while. I saw it on both my older RT-AC86U and I also see it on my RT-AX86U with 388.1 right now.

Have you tried a different browser? Have you disabled all extensions? Have you tried logging in, with 'InPrivate' mode (or the closest match to the browser you're using)?

It has nothing to do with the browser: same problem on Firefox, Chrome, Safari, across Linux, Mac, Windows, etc. It doesn't matter if I'm using incognito or not. Please stop thrashing around for the problem when I've already done the work and identified the issue for you. You can replicate it yourself.

What features and options do you have enabled on your router? What scripts?

Doesn't matter. I replicated on a fresh install with no configuration, stock IP

If there is a method that works, use that. If another way works unreliably, don't use that.

I can't use a 1984-created, over-two-decade deprecated protocol when I don't run it on my network.

 

[L&LD]

Glad you're so prepared, except for using the process that actually works.

You mentioned none of those things in your original post, hence my questions to verify.

If you're so dead set against IPv4 shortcuts, then you should probably be looking at another router that has fully baked IPv6 support then.

Most likely, almost all consumer routers are well past your expectations (and have been for a long time now).

 

[thiggins]

Glad you're so prepared, except for using the process that actually works.

@L&LD Please skip the snark

 

[L&LD]

@thiggins, thanks for keeping me on the straight and narrow.

Wishing you and your family all the best. Merry Christmas and a Wonderful New Year to all!

 

[dave14305]

Your best course of action is to reproduce the problem on stock firmware and then report it directly to Asus. I doubt Merlin will spend any time on this.

I used to run into it a lot and opted to just use the IPv4 address.

 

[jorhett]

I used to run into it a lot and opted to just use the IPv4 address.

How do you issue a valid cert for an IPv4 address? I know of no way to make dnsmasq return the internal IP address when the browser queries for the FQDN.

IPv6 address is the same inside and out, FQDN always returns a working address == valid TLS cert works

 

[guetech]

How do you issue a valid cert for an IPv4 address? I know of no way to make dnsmasq return the internal IP address when the browser queries for the FQDN.

IPv6 address is the same inside and out, FQDN always returns a working address == valid TLS cert works

Your best bet is to use a hostname (DDNS or otherwise). I used to regenerate the SSL cert when my WAN IP changed but it introduces a lot of quirks to use certs mapped to IPs. Let's encrypt + a custom DDNS works much better.

I'm having the same issue with IPv6 and I wish Merlin would add a "force logout" button so we at least didn't have to SSH (or wait several minutes) to get back into the router.

This would solve more than the ipv6 issue. (IE I want to login remotely to make a quick change, but if I accidentally left the system log page open on my desktop at home, so I can't. I'm effectively locked out unless I SSH from my phone and remember the magic nvram commands). Though I understand his reasons.

 

[Ceejus]

Did you ever figure this out? I'm running into the exact same issue after enabling IPv6. Would hate to have to disable it altogether just because of a dumb router login bug.

 

[dave14305]

Did you ever figure this out? I'm running into the exact same issue after enabling IPv6. Would hate to have to disable it altogether just because of a dumb router login bug.

I only login via the IPv4 address URL http://192.168.1.1/

 

[Ceejus]

I only login via the IPv4 address URL http://192.168.1.1/

I'd prefer to keep using my DDNS address. What's somewhat odd to me is that I'm restricting access to only specific IPv4 addresses. I'm surprised it could/would even be able to use IPv6. I guess I don't know enough about dual stack to understand why this is happening.

 

[Crimliar]

This is one of those moments where I'm left scratching my head, as I've not seen the IPv6 issue as described.
*SSL certificates authenticate against the domain name, not the IP so that the same cert can be used for both IPv4 & IPv6*
So I'm set up that IPv6 WAN FQDNs, IPv6 LAN FQDNs, IPv4 LAN FQDNs, and single IPv4 WAN FQDN for the router (only) use the identical host.domain format and the router certificate is valid no matter how it's accessed (been doing IPv4 part of this for years).
The only time I'd see the message about another user already being logged in would be when a change had taken place leading to the IPv6 of the device accessing the router changing.

 

[Ceejus]

This is one of those moments where I'm left scratching my head, as I've not seen the IPv6 issue as described.
*SSL certificates authenticate against the domain name, not the IP so that the same cert can be used for both IPv4 & IPv6*
So I'm set up that IPv6 WAN FQDNs, IPv6 LAN FQDNs, IPv4 LAN FQDNs, and single IPv4 WAN FQDN for the router (only) use the identical host.domain format and the router certificate is valid no matter how it's accessed (been doing IPv4 part of this for years).
The only time I'd see the message about another user already being logged in would be when a change had taken place leading to the IPv6 of the device accessing the router changing.

It is definitely bizarre behavior. It has to be a bug. Like OP, I'll randomly be kicked out of my session with a message stating that my IPv6 address needs to be logged out before I can access the router and I'll be prompted to once again enter my login. Unlike OP, I'm using stock firmware on a GT-BE98 Pro. I guess I could report the issue to Asus but I already know what I'm gonna get going through that avenue: "reset to factory".

 

[sfx2000]

It is definitely bizarre behavior. It has to be a bug.

TBH - not a firmware bug - it's all of the current Web Browsers - Chrome/Safari/Firefox - when logging into the Router via a TLDN/PseudoTLDN, they're doing extra validations up and down the stack...

It's annoying perhaps - but generally if one goes in to the route via the IPv4 address, not the hostname/domain you won't see this.

This is common - not just asus, but others...

 

[Ceejus]

TBH - not a firmware bug - it's all of the current Web Browsers - Chrome/Safari/Firefox - when logging into the Router via a TLDN/PseudoTLDN, they're doing extra validations up and down the stack...

It's annoying perhaps - but generally if one goes in to the route via the IPv4 address, not the hostname/domain you won't see this.

This is common - not just asus, but others...

Thanks for confirming. Without knowing that, it would have all the makings of a bug. I guess I will be turning IPv6 off afterall. The annoyance of this situation outweighs the pros of using it.

 

[sfx2000]

Thanks for confirming. Without knowing that, it would have all the makings of a bug. I guess I will be turning IPv6 off afterall. The annoyance of this situation outweighs the pros of using it.

You don't need to disable IPv6, just access the router via it's local IPv4 address...

 

[Ceejus]

You don't need to disable IPv6, just access the router via it's local IPv4 address...

Meh. I thought about it but for some reason it really irritates me that browsers mistakenly suggest that my https connection isn't secure when doing that (yes, I know it still is but still). If I felt there was a real benefit to leaving IPv6 on, I suppose I would, but I really don't see what the need is. The only reason I ever turned it on was out of curiosity to see if my ISP even had it available and then I went down a little rabbit hole learning more about it. Unfortunately, the world of IPv6 is a few rungs above my CCNA-level knowledge on the topic.

 

[sfx2000]

Unfortunately, the world of IPv6 is a few rungs above my CCNA-level knowledge on the topic.

Understood - there are some good tutorials on IPv6 on the interwebs, and with your CCNA experience, might be easier for you to grasp if/when you decide to look into it.

We're getting off topic though... and IPv6 discussions can turn into a real rat hole