I came across this today while migrating a L2L / site to site tunnel from our ASA to a PaloAlto firewall (formerly Cisco ios device)
From my side I would see :
17 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Solution 1: This typically means the PSKs don't match, after we fixed that we saw this. Some Mfgrs do not process special characters the same.
%ASA-vpn-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
Oct 01 10:33:43 [IKEv1]: IP =x.x.x.x Header invalid, missing SA payload! (next payload = 4)
The other side was able to see this:
"IKE phase-1 negotiation failed. When pre-shared key is used, peer-ID must be type IP address. Received type FQDN."
These errors mean that the ASA is sending it's DNS name entry for some reason.
Solution 2: Configure "isakmp identity address"
ASA(config)# isakmp identity ?
configure mode commands/options:
address Use the IP address of the interface for the identity
auto Identity automatically determined by the connection type: IP address for preshared key and Cert DN for Cert based connections
hostname Use the hostname of the router for the identity
key-id Use the specified key-id for the identity
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
I had this error as well. Found when connecting to a PA that I had to issue the "isakmp identity address" command to get Phase 1 to complete.
Issue is the PA rejects a FQDN (which is what a PIX/ASA tries to send by default). Once applied the tunnel came up with no problem.
Also from the ASA perspective, make sure you are using the IP of the peer on the tunnel-group configuration.
Hope this info helps!!
Rate if helps you!!
For anyone landing here I had the same error for a site-to-site between Cisco ASA 9.6.x and Palo Alto.
The ASA was behind a STATIC/bidirectional NAT, so it used a private IP on the outside interface.
Tunnel got fixed after two changes:
- Enable NAT-T on the PaloAlto side so UDP/4500 was accepted
- Update Peer ID on the PaloAlto side with my private IP address used on the ASA, while the PeerAddress was the public IP used by the ASA.