Terri, What code is R4 running?
Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Mar 31, 2010, at 4:54 PM, Terry Little (terlittl) wrote: > I am trying to get the ezvpn with pki to work and when I try an test from the > test pci, I am able to get the vpn client enrolled and had no trouble getting > the router enrolled. The problem starts when I try to connect to the router > with the vpn client. I am getting the following error in the logs on the > router: > > Mar 31 18:17:02.583: ISAKMP (1007): process_rsa_sig: Querying key pair > failed. > > Any advice on this would be appreciated. > > The whole section is: > > Mar 31 18:17:00.931: ISAKMP:(0):atts are acceptable. Next payload is 3 > Mar 31 18:17:00.931: ISAKMP:(0):Acceptable atts:actual life: 86400 > Mar 31 18:17:00.931: ISAKMP:(0):Acceptable atts:life: 0 > Mar 31 18:17:00.931: ISAKMP:(0):Fill atts in sa vpi_length:4 > Mar 31 18:17:00.931: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483 > Mar 31 18:17:00.931: ISAKMP:(0):Returning Actual lifetime: 86400 > Mar 31 18:17:00.931: ISAKMP:(0)::Started lifetime timer: 86400. > > Mar 31 18:17:00.931: ISAKMP:(0): vendor ID is NAT-T v2 > Mar 31 18:17:00.931: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > Mar 31 18:17:00.931: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 > > Mar 31 18:17:00.935: ISAKMP:(0): constructed NAT-T vendor-02 ID > Mar 31 18:17:00.935: ISAKMP:(0): sending packet to 8.9.2.200 my_port 500 > peer_port 1113 (R) MM_SA_SETUP > Mar 31 18:17:00.935: ISAKMP:(0):Sending an IKE IPv4 Packet. > Mar 31 18:17:00.935: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_COMPLETE > Mar 31 18:17:00.935: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2 > > Mar 31 18:17:01.027: ISAKMP (0): received packet from 8.9.2.200 dport 500 > sport 1113 Global (R) MM_SA_SETUP > Mar 31 18:17:01.027: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > Mar 31 18:17:01.027: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3 > > Mar 31 18:17:01.367: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > Mar 31 18:17:01.367: ISAKMP:(1007):Old State = IKE_R_MM5 New State = > IKE_R_MM5 > > Mar 31 18:17:01.367: ISAKMP (1007): incrementing error counter on sa, attempt > 1 of 5: reset_retransmission > Mar 31 18:17:01.367: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_ERROR > Mar 31 18:17:01.367: ISAKMP:(1007):Old State = IKE_R_MM5 New State = > IKE_R_MM4 > > Mar 31 18:17:02.367: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... > Mar 31 18:17:02.367: ISAKMP (1007): incrementing error counter on sa, attempt > 2 of 5: retransmit phase 1 > Mar 31 18:17:02.567: ISAKMP (1007): received packet from 8.9.2.200 dport 500 > sport 1113 Global (R) MM_KEY_EXCH > Mar 31 18:17:02.571: ISAKMP:(1007):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > Mar 31 18:17:02.571: ISAKMP:(1007):Old State = IKE_R_MM4 New State = > IKE_R_MM5 > > Mar 31 18:17:02.571: ISAKMP:(1007): processing CERT payload. message ID = 0 > Mar 31 18:17:02.571: ISAKMP:(1007): processing a CT_X509_SIGNATURE cert > Mar 31 18:17:02.571: ISAKMP:(1007): peer's pubkey isn't cached > Mar 31 18:17:02.579: ISAKMP:(1007): OU = CCIE > Mar 31 18:17:02.579: ISAKMP:(1007):Profile has no keyring, aborting key search > Mar 31 18:17:02.583: ISAKMP (1007): process_rsa_sig: Querying key pair > failed. > Mar 31 18:17:02.583: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > Mar 31 18:17:02.583: ISAKMP:(1007):Old State = IKE_R_MM5 New State = > IKE_R_MM5 > > Mar 31 18:17:02.587: ISAKMP (1007): incrementing error counter on sa, attempt > 1 of 5: reset_retransmission > Mar 31 18:17:02.587: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_ERROR > Mar 31 18:17:02.587: ISAKMP:(1007):Old State = IKE_R_MM5 New State = > IKE_R_MM4 > > Mar 31 18:17:03.587: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... > Mar 31 18:17:03.587: ISAKMP (1007): incrementing error counter on sa, attempt > 2 of 5: retransmit phase 1 > Mar 31 18:17:03.587: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH > Mar 31 18:17:03.587: ISAKMP:(1007): sending packet to 8.9.2.200 my_port 500 > peer_port 1113 (R) MM_KEY_EXCH > Mar 31 18:17:03.587: ISAKMP:(1007):Sending an IKE IPv4 Packet. > Mar 31 18:17:03.787: ISAKMP (1007): received packet from 8.9.2.200 dport 500 > sport 1113 Global (R) MM_KEY_EXCH > Mar 31 18:17:03.791: ISAKMP:(1007):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > Mar 31 18:17:03.803: ISAKMP (1007): process_rsa_sig: Querying key pair > failed. > Mar 31 18:17:03.803: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > Mar 31 18:17:03.803: ISAKMP:(1007):Old State = IKE_R_MM5 New State = > IKE_R_MM5 > > Mar 31 18:17:03.807: ISAKMP (1007): incrementing error counter on sa, attempt > 1 of 5: reset_retransmission > Mar 31 18:17:03.807: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_ERROR > Mar 31 18:17:03.807: ISAKMP:(1007):Old State = IKE_R_MM5 New State = > IKE_R_MM4 > > Mar 31 18:17:05.023: ISAKMP (1007): process_rsa_sig: Querying key pair > failed. > Mar 31 18:17:05.023: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > Mar 31 18:17:05.023: ISAKMP:(1007):Old State = IKE_R_MM5 New State = > IKE_R_MM5 > > Mar 31 18:17:05.023: ISAKMP (1007): incrementing error counter on sa, attempt > 1 of 5: reset_retransmission > Mar 31 18:17:05.027: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_ERROR > Mar 31 18:17:05.027: ISAKMP:(1007):Old State = IKE_R_MM5 New State = > IKE_R_MM4 > > Mar 31 18:17:06.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... > Mar 31 18:17:06.091: ISAKMP: Info Notify message requeue retry counter > exceeded sa request from 8.9.2.200 to 8.9.50.4. > Mar 31 18:17:16.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... > Mar 31 18:17:16.023: ISAKMP (1007): incrementing error counter on sa, attempt > 3 of 5: retransmit phase 1 > Mar 31 18:17:16.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH > Mar 31 18:17:16.023: ISAKMP:(1007): sending packet to 8.9.2.200 my_port 500 > peer_port 1113 (R) MM_KEY_EXCH > Mar 31 18:17:16.023: ISAKMP:(1007):Sending an IKE IPv4 Packet. > Mar 31 18:17:26.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... > Mar 31 18:17:26.023: ISAKMP (1007): incrementing error counter on sa, attempt > 4 of 5: retransmit phase 1 > Mar 31 18:17:26.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH > Mar 31 18:17:26.023: ISAKMP:(1007): sending packet to 8.9.2.200 my_port 500 > peer_port 1113 (R) MM_KEY_EXCH > Mar 31 18:17:26.023: ISAKMP:(1007):Sending an IKE IPv4 Packet. > Mar 31 18:17:36.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... > Mar 31 18:17:36.023: ISAKMP (1007): incrementing error counter on sa, attempt > 5 of 5: retransmit phase 1 > Mar 31 18:17:36.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH > Mar 31 18:17:36.023: ISAKMP:(1007): sending packet to 8.9.2.200 my_port 500 > peer_port 1113 (R) MM_KEY_EXCH > Mar 31 18:17:36.023: ISAKMP:(1007):Sending an IKE IPv4 Packet. > R4(config)# > R4(config)# > Mar 31 18:17:46.023: ISAKMP:(1007): retransmitting phase 1 MM_KEY_EXCH... > Mar 31 18:17:46.023: ISAKMP:(1007):peer does not do paranoid keepalives. > > Mar 31 18:17:46.023: ISAKMP:(1007):deleting SA reason "Death by > retransmission P1" state (R) MM_KEY_EXCH (peer 8.9.2.200) > Mar 31 18:17:46.023: ISAKMP:(1007):deleting SA reason "Death by > retransmission P1" state (R) MM_KEY_EXCH (peer 8.9.2.200) > Mar 31 18:17:46.023: ISAKMP: Unlocking peer struct 0x4AC141F8 for > isadb_mark_sa_deleted(), count 0 > Mar 31 18:17:46.023: ISAKMP: Deleting peer node by peer_reap for 8.9.2.200: > 4AC141F8 > Mar 31 18:17:46.023: ISAKMP:(1007):deleting node -1145014546 error FALSE > reason "IKE deleted" > R4(config)# > Mar 31 18:17:46.023: ISAKMP:(1007):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL > Mar 31 18:17:46.023: ISAKMP:(1007):Old State = IKE_R_MM4 New State = > IKE_DEST_SA > > Mar 31 18:17:46.027: IPSEC(key_engine): got a queue event with 1 KMI > message(s) > R4(config)# > Mar 31 18:18:36.023: ISAKMP:(1007):purging node -1145014546 > R4(config)# > Mar 31 18:18:46.023: ISAKMP:(1007):purging SA., sa=498BDBF0, delme=498BDBF0 > > Terry Little > [email protected] > Phone: +1 425 468 1057 > Mobile: +1 425 894 4109 > > Cisco Systems, Inc. > Network Consulting Engineer > World Wide Security Services Practice > Cisco.com - http://www.cisco.com > > This email may contain confidential and privileged material for the sole use > of the intended recipient. Any review, use, distribution or disclosure by > others is strictly prohibited. If you are not the intended recipient (or > authorized to receive for the recipient), please contact the sender by reply > email and delete all copies of this message. > > For corporate legal information go to: > http://www.cisco.com/web/about/doing_business/legal/cri/index.html > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
