%ASA-vpn-4-713903:"IP address" Header invalid, missing SA payload!

Unanswered Question
May 12th, 2009
User Badges:

getting the error message %ASA-vpn-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

on a VPN tunnel initiation, this is the first time this tunnel has tried to connect and we are seeing this issue.

Any Ideas. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owillins Mon, 05/18/2009 - 05:30
User Badges:
  • Silver, 250 points or more

This event generally means that the VPN and the remote peer are out of sync. The remote peer is continuing to negotiate an Internet Key Exchange (IKE) Security Association (SA) that has been deleted by the VPN Device. The condition should eventually correct itself as the negotiation times out. This event can sometimes indicate a begin condition, which is caused by a race condition. An example of a race condition is when both peers delete an SA simultaneously and send deletes. The delete messages get to the peer, but the peer has already deleted the SA on its own. The peer expects a new phase 1 message to include an SA payload, which the delete message does not include.

If the condition persists, the tunnel should be reset on both sides.

Farrukh Haroon Sun, 05/24/2009 - 05:51
User Badges:
  • Red, 2250 points or more

As others have pointed out, these messages can be displayed even if everything is working fine. Clear the IKE/IPSEC sessions on both sides and then see if there is reasonable uniformity between the encryp/decypt packet count (show crypto ipsec sa). If so, ignore this error.




This Discussion