Cloud services plugin v3.2+ is requiring OTP verification every 90 days when it shouldn't
6515
Created On 07/21/23 01:36 AM - Last Modified 02/10/25 22:06 PM
Symptom
- Cloud Services plugin for Panorama was updated in version 3.2+ to no longer require OTP re-verification every 90 days, which was a requirement in older plugin versions
- An issue may occur where the plugin still prompts for OTP verification every 90 days
- To confirm this issue is being encountered, follow these steps:
- 1. Ensure the plugin is version 3.2 or greater:
Panorama> show system info cloud_services: cloud_services-3.2.0-h7
- 2. Confirm Panorama is set to use device certificate for cloud services:
Panorama> show system state filter cfg.lcaas-use-thermite cfg.lcaas-use-thermite: True
- 3. Confirm Panorama device certificate is valid and not expired:
Panorama> show device-certificate status Current device certificate status: Valid
- 4. Check to see if there is an error stating the logging certificate is expired:
Panorama> show system state filter cfg.log-fwd-status 'msg': Logging service certificate expired
- 1. Ensure the plugin is version 3.2 or greater:
Environment
- Panorama with Cloud Services plugin version 3.2+
Cause
- The outputs seen in the symptoms above show that Panorama should be using the device certificate for cloud services but because there was a pre-existing expired logging certificate, it has triggered the plugin to require re-verification erroneously
- This can occur if the plugin is upgraded to version 3.2 and there is already a logging certificate used in the older legacy plugin version. When that cert reaches expiration, it may trigger the plugin to require re-verification even though the cert is no longer required since it's been replaced by the device certificate
Resolution
- Delete the legacy logging service certificate from the plugin:
Panorama> request plugins cloud_services panorama-certificate delete
- Perform OTP re-verification via the steps in Verify Your Account Using the One-Time Password