Querying key pair failed

stevenxu89 · ‎10-14-2009

Guys,

I see 10000 messages in the logs from yesterday:

10.9.32.21

CRYPTO

CiscoFacility

QUERY_KEY

CiscoCode

ICMP Type

CRYPTO-3-QUERY_KEY

CiscoAlertCode

ACL Number

CRYPTO:QUERY_KEY

ABC.com

CiscoRouter

Oct 13 2009 16:32:30

3

CISCO

Oct 13 2009 16:32:30

Querying key pair failed.

It seems we have an isakmp policy mismatch? But the side-to-side vpn is active.

Does anyone have idea about this?

Thanks in advance!

stevenxu89 · ‎10-14-2009

Hi Guys,

Here is some more information:

The syslog lines look like this:

sentry.log.0:Oct 14 06:33:33 ABC.com 6176168: Oct 14 06:33:32 UTC: %CRYPTO-3-QUERY_KEY: Querying key pair failed.

On the 12th ther were a small number of log lines like: (possibly not related)

sentry.log.1.gz:Oct 12 13:31:19 ABC.com 6076104: Oct 12 13:31:18 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from 99.XX.XX.XX has no SA and is not an initialization offer

There were also other loglines from that device in te last few days: (possibly not related)

$ grep ABC.com sentry*log sentry.log.0 | grep -v %CRYPTO-3-QUERY_KEY

sentry.log:Oct 14 07:08:51 ABC.com 6177602: Oct 14 07:08:50 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

sentry.log:Oct 14 07:08:51 ABC.com 6177603: ^Idestaddr=216.XX.XX.XX, prot=50, spi=0x54B6515C(1421234524), srcaddr=84.XX.XX.XX

sentry.log:Oct 14 11:18:51 ABC.com 6188903: Oct 14 11:18:51 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

sentry.log:Oct 14 11:18:51 ABC.com 6188904: ^Idestaddr=216.XX.XX.XX, prot=50, spi=0x223E0D70(574492016), srcaddr=84.XX.XX.XX

.......

As of now there are this many log lines matching:

$ grep rtbrd2.wlca.descartes.com sentry*log sentry.log.0 | grep %CRYPTO-3-QUERY_KEY | wc -l

22225

$ Date

Wed Oct 14 19:54:33 UTC 2009