I came across this today while migrating a L2L / site to site tunnel from our ASA to a PaloAlto firewall (formerly Cisco ios device)
From my side I would see :
17 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Solution 1: This typically means the PSKs don't match, after we fixed that we saw this. Some Mfgrs do not process special characters the same.
Debugging shows:
%ASA-vpn-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
or
Oct 01 10:33:43 [IKEv1]: IP =x.x.x.x Header invalid, missing SA payload! (next payload = 4)
The other side was able to see this:
"IKE phase-1 negotiation failed. When pre-shared key is used, peer-ID must be type IP address. Received type FQDN."
These errors mean that the ASA is sending it's DNS name entry for some reason.
Solution 2: Configure "isakmp identity address"
ASA(config)# isakmp identity ?
configure mode commands/options:
address Use the IP address of the interface for the identity
auto Identity automatically determined by the connection type: IP address for preshared key and Cert DN for Cert based connections
hostname Use the hostname of the router for the identity
key-id Use the specified key-id for the identity
Citation: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_ike.html
D
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers
During ISAKMP Phase I negotiations, either IKEv1 or IKEv2, the peers must identify themselves to each other. You can choose the identification method from the following options:
IP address for preshared key.
The ASA uses the Phase I ID to send to the peer. This is true for all VPN scenarios except LAN-to-LAN IKEv1 connections in main mode that authenticate with preshared keys.
To change the peer identification method, enter the following command:
crypto isakmp identity {address | hostname | key-id id-string | auto}
For example, the following command sets the peer identification method to hostname:
