What does "Querying key pair failed" mean?

Unanswered Question
Oct 15th, 2009
User Badges:


I see 10000 messages in the logs from yesterday:








ACL Number




Oct 13 2009 16:32:30



Oct 13 2009 16:32:30

Querying key pair failed.

It seems we have an isakmp policy mismatch? But the side-to-side vpn is active.

Does anyone have idea about this?

Thanks in advance!

Here is some more information:

The syslog lines look like this:

sentry.log.0:Oct 14 06:33:33 ABC.com 6176168: Oct 14 06:33:32 UTC: %CRYPTO-3-QUERY_KEY: Querying key pair failed.

On the 12th ther were a small number of log lines like: (possibly not related)

sentry.log.1.gz:Oct 12 13:31:19 ABC.com 6076104: Oct 12 13:31:18 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from 99.XX.XX.XX has no SA and is not an initialization offer

There were also other loglines from that device in te last few days: (possibly not related)

$ grep ABC.com sentry*log sentry.log.0 | grep -v %CRYPTO-3-QUERY_KEY

sentry.log:Oct 14 07:08:51 ABC.com 6177602: Oct 14 07:08:50 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

sentry.log:Oct 14 07:08:51 ABC.com 6177603: ^Idestaddr=216.XX.XX.XX, prot=50, spi=0x54B6515C(1421234524), srcaddr=84.XX.XX.XX

sentry.log:Oct 14 11:18:51 ABC.com 6188903: Oct 14 11:18:51 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

sentry.log:Oct 14 11:18:51 ABC.com 6188904: ^Idestaddr=216.XX.XX.XX, prot=50, spi=0x223E0D70(574492016), srcaddr=84.XX.XX.XX


As of now there are this many log lines matching:

$ grep rtbrd2.wlca.descartes.com sentry*log sentry.log.0 | grep %CRYPTO-3-QUERY_KEY | wc -l


$ Date

Wed Oct 14 19:54:33 UTC 2009

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Thu, 10/15/2009 - 13:18
User Badges:
  • Gold, 750 points or more

Here is what error message decode says

This error message means this:

%CRYPTO-3-QUERY_KEY : Querying key pair failed.

Explanation An attempt to query the public key and private key using

the subject name has failed.

Recommended Action Check the subject name, and resubmit the enrollment


stevenxu89 Fri, 10/16/2009 - 05:28
User Badges:

Thanks, kw2

I've also got the error message decode from Cisco Website. However, this message seems not answer the problem.

My IPSec vpns are all site-to-site with preshared key, so there is no public key or private key. The strange thing is that the vpn still work well.

Thanks again

Yudong Wu Fri, 10/16/2009 - 09:22
User Badges:
  • Gold, 750 points or more

in that case, check "sh cry isa sa" to see if there is any remote end is trying to build a new tunnel?

A "debug crypto isa" might be help as well.


This Discussion