Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

%ASA-vpn-4-713903:"IP address" Header invalid, missing SA payload!

getting the error message %ASA-vpn-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)

on a VPN tunnel initiation, this is the first time this tunnel has tried to connect and we are seeing this issue.

Any Ideas. Thanks


Re: %ASA-vpn-4-713903:"IP address" Header invalid, missing SA pa

This event generally means that the VPN and the remote peer are out of sync. The remote peer is continuing to negotiate an Internet Key Exchange (IKE) Security Association (SA) that has been deleted by the VPN Device. The condition should eventually correct itself as the negotiation times out. This event can sometimes indicate a begin condition, which is caused by a race condition. An example of a race condition is when both peers delete an SA simultaneously and send deletes. The delete messages get to the peer, but the peer has already deleted the SA on its own. The peer expects a new phase 1 message to include an SA payload, which the delete message does not include.

If the condition persists, the tunnel should be reset on both sides.

Re: %ASA-vpn-4-713903:"IP address" Header invalid, missing SA pa

As others have pointed out, these messages can be displayed even if everything is working fine. Clear the IKE/IPSEC sessions on both sides and then see if there is reasonable uniformity between the encryp/decypt packet count (show crypto ipsec sa). If so, ignore this error.



CreatePlease login to create content