10-15-2009 09:16 AM
Guys,
I see 10000 messages in the logs from yesterday:
10.9.32.21
CRYPTO
CiscoFacility
QUERY_KEY
CiscoCode
ICMP Type
CRYPTO-3-QUERY_KEY
CiscoAlertCode
ACL Number
CRYPTO:QUERY_KEY
ABC.com
CiscoRouter
Oct 13 2009 16:32:30
3
CISCO
Oct 13 2009 16:32:30
Querying key pair failed.
It seems we have an isakmp policy mismatch? But the side-to-side vpn is active.
Does anyone have idea about this?
Thanks in advance!
Here is some more information:
The syslog lines look like this:
sentry.log.0:Oct 14 06:33:33 ABC.com 6176168: Oct 14 06:33:32 UTC: %CRYPTO-3-QUERY_KEY: Querying key pair failed.
On the 12th ther were a small number of log lines like: (possibly not related)
sentry.log.1.gz:Oct 12 13:31:19 ABC.com 6076104: Oct 12 13:31:18 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from 99.XX.XX.XX has no SA and is not an initialization offer
There were also other loglines from that device in te last few days: (possibly not related)
$ grep ABC.com sentry*log sentry.log.0 | grep -v %CRYPTO-3-QUERY_KEY
sentry.log:Oct 14 07:08:51 ABC.com 6177602: Oct 14 07:08:50 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
sentry.log:Oct 14 07:08:51 ABC.com 6177603: ^Idestaddr=216.XX.XX.XX, prot=50, spi=0x54B6515C(1421234524), srcaddr=84.XX.XX.XX
sentry.log:Oct 14 11:18:51 ABC.com 6188903: Oct 14 11:18:51 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for
sentry.log:Oct 14 11:18:51 ABC.com 6188904: ^Idestaddr=216.XX.XX.XX, prot=50, spi=0x223E0D70(574492016), srcaddr=84.XX.XX.XX
.......
As of now there are this many log lines matching:
$ grep rtbrd2.wlca.descartes.com sentry*log sentry.log.0 | grep %CRYPTO-3-QUERY_KEY | wc -l
22225
$ Date
Wed Oct 14 19:54:33 UTC 2009
10-15-2009 01:18 PM
Here is what error message decode says
This error message means this:
%CRYPTO-3-QUERY_KEY : Querying key pair failed.
Explanation An attempt to query the public key and private key using
the subject name has failed.
Recommended Action Check the subject name, and resubmit the enrollment
request.
10-16-2009 05:28 AM
Thanks, kw2
I've also got the error message decode from Cisco Website. However, this message seems not answer the problem.
My IPSec vpns are all site-to-site with preshared key, so there is no public key or private key. The strange thing is that the vpn still work well.
Thanks again
10-16-2009 09:22 AM
in that case, check "sh cry isa sa" to see if there is any remote end is trying to build a new tunnel?
A "debug crypto isa" might be help as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide