Resolution
The following output shows the user receiving the Header invalid, missing SA payload
error message on the Cisco VPN 3000 Concentrator:
EVENTID: IKE_NO_SA
LEVEL: ES_SEV_INFO3
STRING: "Header invalid, missing SA payload! (next payload = %d)"
This event generally means that the VPN Concentrator and the remote peer are out of sync. The remote peer is continuing to negotiate an Internet Key Exchange (IKE) Security Association (SA) that has been deleted by the VPN Concentrator. The condition should eventually correct itself as the negotiation times out. This event can sometimes indicate a benign condition, which is caused by a race condition. An example of a race condition is when both peers delete an SA simultaneously and send deletes. The delete messages get to the peer, but the peer has already deleted the SA on its own. The peer expects a new phase 1 message to include an SA payload, which the delete message does not include.
If the condition persists, the tunnel should be reset on both sides.
VPN 3000 Model
Concentrator models
VPN 3000 Event Logs
Header invalid, missing SA payload! (next payload = 8)