%ASA-vpn-4-713903:"IP address" Header invalid, missing SA payload!

logan-7 · ‎05-12-2009

getting the error message %ASA-vpn-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

on a VPN tunnel initiation, this is the first time this tunnel has tried to connect and we are seeing this issue.

Any Ideas. Thanks

owillins · ‎05-18-2009

This event generally means that the VPN and the remote peer are out of sync. The remote peer is continuing to negotiate an Internet Key Exchange (IKE) Security Association (SA) that has been deleted by the VPN Device. The condition should eventually correct itself as the negotiation times out. This event can sometimes indicate a begin condition, which is caused by a race condition. An example of a race condition is when both peers delete an SA simultaneously and send deletes. The delete messages get to the peer, but the peer has already deleted the SA on its own. The peer expects a new phase 1 message to include an SA payload, which the delete message does not include.

If the condition persists, the tunnel should be reset on both sides.

Farrukh Haroon · ‎05-24-2009

As others have pointed out, these messages can be displayed even if everything is working fine. Clear the IKE/IPSEC sessions on both sides and then see if there is reasonable uniformity between the encryp/decypt packet count (show crypto ipsec sa). If so, ignore this error.

Regards

Farrukh