cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6161
Views
0
Helpful
4
Replies

%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

remi-reszka
Level 1
Level 1

I am having troubles with authenticating both peers with CA certificates.

The error message I get is:

%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

The "Cisco IOS 12.3 T CRYPTO Messages" guide says the following:

Explanation A public key or private key query attempt that used a subject name has failed.

Recommended Action Check the subject name in the certificate.

I am not sure how to troubleshoot it then. On both routers I have subject names as the names of the RSA public key.

Thanks for all your suggestions.

Remi

4 Replies 4

vmoopeung
Level 5
Level 5

This error message also occur if isakmp policy is not defined.

Well, that's a good point but both peers have correct ISAKMP policy defined with use of rsa-sig authentication which is default.

I am not sure if CA must be always available to the peers even when they authenticate each other. At the moment CA is not available, it was only available at the moment of enrolling and authenticating certificates.

Thanks,

Remi

Keith Lawrence
Level 1
Level 1

I know this is a very old post but just in case anyone else has the same issue - check the time on your routers. One of mine was out by about 30 minutes and as soon as I fixed the NTP settings the tunnel came up fine with no errors.

Hi Guys;

In case that you're facing the issue, just make sure in the configuration of the crypto isakmp key...

(config)# crypto isakmp key 0 cisco address NBMA-peer

or

(config)# crypto isakmp 0 cisco  address 0.0.0.0

you put the nbma address of the other router and no the tunnel interface address, or you can also put as address 0.0.0.0 which mean that the router id goint to negotiate with any other router that has the same key... for security the first option is better, but they both work.....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: