I came across this today while migrating a L2L / site to site tunnel from our ASA to a PaloAlto firewall (formerly Cisco ios device)
From my side I would see :
17 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG6
Solution 1: This typically means the PSKs don't match, after we fixed that we saw this. Some Mfgrs do not process special characters the same.
%ASA-vpn-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
Oct 01 10:33:43 [IKEv1]: IP =x.x.x.x Header invalid, missing SA payload! (next payload = 4)
The other side was able to see this:
"IKE phase-1 negotiation failed. When pre-shared key is used, peer-ID must be type IP address. Received type FQDN."
These errors mean that the ASA is sending it's DNS name entry for some reason.
Solution 2: Configure "isakmp identity address"
ASA(config)# isakmp identity ?
configure mode commands/options:
address Use the IP address of the interface for the identity
auto Identity automatically determined by the connection type: IP address for preshared key and Cert DN for Cert based connections
hostname Use the hostname of the router for the identity
key-id Use the specified key-id for the identity
Determining an ID Method for IKEv1 and IKEv2 ISAKMP Peers