%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

Unanswered Question
Nov 18th, 2008

I am having troubles with authenticating both peers with CA certificates.

The error message I get is:

%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

The "Cisco IOS 12.3 T CRYPTO Messages" guide says the following:

Explanation A public key or private key query attempt that used a subject name has failed.

Recommended Action Check the subject name in the certificate.

I am not sure how to troubleshoot it then. On both routers I have subject names as the names of the RSA public key.

Thanks for all your suggestions.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Wed, 11/26/2008 - 12:11

This error message also occur if isakmp policy is not defined.

remi-reszka Wed, 11/26/2008 - 12:50

Well, that's a good point but both peers have correct ISAKMP policy defined with use of rsa-sig authentication which is default.

I am not sure if CA must be always available to the peers even when they authenticate each other. At the moment CA is not available, it was only available at the moment of enrolling and authenticating certificates.




This Discussion