cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3500
Views
0
Helpful
3
Replies

What does "Querying key pair failed" mean?

stevenxu89
Level 1
Level 1

Guys,

I see 10000 messages in the logs from yesterday:

10.9.32.21

CRYPTO

CiscoFacility

QUERY_KEY

CiscoCode

ICMP Type

CRYPTO-3-QUERY_KEY

CiscoAlertCode

ACL Number

CRYPTO:QUERY_KEY

ABC.com

CiscoRouter

Oct 13 2009 16:32:30

3

CISCO

Oct 13 2009 16:32:30

Querying key pair failed.

It seems we have an isakmp policy mismatch? But the side-to-side vpn is active.

Does anyone have idea about this?

Thanks in advance!

Here is some more information:

The syslog lines look like this:

sentry.log.0:Oct 14 06:33:33 ABC.com 6176168: Oct 14 06:33:32 UTC: %CRYPTO-3-QUERY_KEY: Querying key pair failed.

On the 12th ther were a small number of log lines like: (possibly not related)

sentry.log.1.gz:Oct 12 13:31:19 ABC.com 6076104: Oct 12 13:31:18 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from 99.XX.XX.XX has no SA and is not an initialization offer

There were also other loglines from that device in te last few days: (possibly not related)

$ grep ABC.com sentry*log sentry.log.0 | grep -v %CRYPTO-3-QUERY_KEY

sentry.log:Oct 14 07:08:51 ABC.com 6177602: Oct 14 07:08:50 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

sentry.log:Oct 14 07:08:51 ABC.com 6177603: ^Idestaddr=216.XX.XX.XX, prot=50, spi=0x54B6515C(1421234524), srcaddr=84.XX.XX.XX

sentry.log:Oct 14 11:18:51 ABC.com 6188903: Oct 14 11:18:51 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for

sentry.log:Oct 14 11:18:51 ABC.com 6188904: ^Idestaddr=216.XX.XX.XX, prot=50, spi=0x223E0D70(574492016), srcaddr=84.XX.XX.XX

.......

As of now there are this many log lines matching:

$ grep rtbrd2.wlca.descartes.com sentry*log sentry.log.0 | grep %CRYPTO-3-QUERY_KEY | wc -l

22225

$ Date

Wed Oct 14 19:54:33 UTC 2009

3 Replies 3

Yudong Wu
Level 7
Level 7

Here is what error message decode says

This error message means this:

%CRYPTO-3-QUERY_KEY : Querying key pair failed.

Explanation An attempt to query the public key and private key using

the subject name has failed.

Recommended Action Check the subject name, and resubmit the enrollment

request.

Thanks, kw2

I've also got the error message decode from Cisco Website. However, this message seems not answer the problem.

My IPSec vpns are all site-to-site with preshared key, so there is no public key or private key. The strange thing is that the vpn still work well.

Thanks again

in that case, check "sh cry isa sa" to see if there is any remote end is trying to build a new tunnel?

A "debug crypto isa" might be help as well.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: