Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

I am having troubles with authenticating both peers with CA certificates.

The error message I get is:

%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

The "Cisco IOS 12.3 T CRYPTO Messages" guide says the following:

Explanation A public key or private key query attempt that used a subject name has failed.

Recommended Action Check the subject name in the certificate.

I am not sure how to troubleshoot it then. On both routers I have subject names as the names of the RSA public key.

Thanks for all your suggestions.

Remi

3 REPLIES
Bronze

Re: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

This error message also occur if isakmp policy is not defined.

Community Member

Re: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

Well, that's a good point but both peers have correct ISAKMP policy defined with use of rsa-sig authentication which is default.

I am not sure if CA must be always available to the peers even when they authenticate each other. At the moment CA is not available, it was only available at the moment of enrolling and authenticating certificates.

Thanks,

Remi

Community Member

Re: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed

I know this is a very old post but just in case anyone else has the same issue - check the time on your routers. One of mine was out by about 30 minutes and as soon as I fixed the NTP settings the tunnel came up fine with no errors.

3743
Views
0
Helpful
3
Replies
CreatePlease to create content