• Upgraded RSA Manager 8.8P1 to 8.8P2.
• RSA does not push out the 2fa requests to our phones and immediately reject PIN number.
• vCenter RSA 2fa authentication fails

vCenter 8.x

The vCenter RSA agent MessageKey is controlled by a timer. After upgrading the RSA manager, the vCenter STS service has to be restarted to clear the invalid MessageKey if trying to authenticate before the timer expires to get a new MessageKey.

Restart vCenter services:

vcsa# service-control --stop --all; service-control --start --all

Or specifically the STS service: 

vcsa# /usr/lib/vmware-vmon/vmon-cli --restart sts

Contact RSA support for further assistance, see vCenter RSA ready Implementation Guide.