I came across this today while migrating a L2L / site to site tunnel from our ASA to a PaloAlto firewall (formerly Cisco ios device)
From my side I would see :
17 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Solution 1: This typically means the PSKs don't match, after we fixed that we saw this. Some Mfgrs do not process special characters the same.
%ASA-vpn-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
Oct 01 10:33:43 [IKEv1]: IP =x.x.x.x Header invalid, missing SA payload! (next payload = 4)
The other side was able to see this:
"IKE phase-1 negotiation failed. When pre-shared key is used, peer-ID must be type IP address. Received type FQDN."
These errors mean that the ASA is sending it's DNS name entry for some reason.
Solution 2: Configure "isakmp identity address"
ASA(config)# isakmp identity ?
configure mode commands/options:
address Use the IP address of the interface for the identity
auto Identity automatically determined by the connection type: IP address for preshared key and Cert DN for Cert based connections
hostname Use the hostname of the router for the identity
key-id Use the specified key-id for the identity
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
I had this error as well. Found when connecting to a PA that I had to issue the "isakmp identity address" command to get Phase 1 to complete.
Issue is the PA rejects a FQDN (which is what a PIX/ASA tries to send by default). Once applied the tunnel came up with no problem.
For anyone landing here I had the same error for a site-to-site between Cisco ASA 9.6.x and Palo Alto.
The ASA was behind a STATIC/bidirectional NAT, so it used a private IP on the outside interface.
Tunnel got fixed after two changes:
- Enable NAT-T on the PaloAlto side so UDP/4500 was accepted
- Update Peer ID on the PaloAlto side with my private IP address used on the ASA, while the PeerAddress was the public IP used by the ASA.