1) One of the common reasons for TOTP authentication failure is that the SASE gateway, towards which the registration is directed, does not have NTP enabled under time-settings – TOTP is time-sensitive and hence it’s mandatory to enable NTP

Refer to the below documentation for information on enabling NTP

https://docs.versa-networks.com/Secure_SD-WAN/VOS_Network_and_System_Configuration/Configure_Time_Settings

Refer to the below documentation for information on enabling TOTP

https://docs.versa-networks.com/Security_Service_Edge_(SSE)/Configuration_from_Director/Versa_SASE_Client/Configure_the_Versa_Secure_Access_Service#Enable_a_Time-Based_One-Time_Password

2) Sometimes, if the VSMD mechanism to keep clock has issues (bugs) and if it is different from system time by more than topt expiry window (3 minutes), the OTP authentication may fail with error "OTP expired".

To check this case, please check the output of following commands.

Note:- Second command is vsmd command and vsmd prompt can be accessed using 'vsh connect vsmd' or 'telnet 0 9001' from CPE shell

Bug #102054 in the code is responsible for this deviation which is fixed in 22.1, 22.1 as well as 21.2.3 March 29 2024 onward releases.

Workaround of increasing the totp expiry using 'vsmd' command can be done as below: -