1) One of the common reasons for TOTP authentication failure is that the SASE gateway, towards which the registration is directed, does not have NTP enabled under time-settings – TOTP is time-sensitive and hence it’s mandatory to enable NTP
Refer to the below documentation for information on enabling NTP
Refer to the below documentation for information on enabling TOTP
2) Sometimes, if the VSMD mechanism to keep clock has issues (bugs) and if it is different from system time by more than topt expiry window (3 minutes), the OTP authentication may fail with error "OTP expired".
To check this case, please check the output of following commands.
Note:- Second command is vsmd command and vsmd prompt can be accessed using 'vsh connect vsmd' or 'telnet 0 9001' from CPE shell
Bug #102054 in the code is responsible for this deviation which is fixed in 22.1, 22.1 as well as 21.2.3 March 29 2024 onward releases.
Workaround of increasing the totp expiry using 'vsmd' command can be done as below: -