I came across this today while migrating a L2L / site to site tunnel from our ASA to a PaloAlto firewall (formerly Cisco ios device)
From my side I would see :
17 IKE Peer: x.x.x.x Type : L2L Role : initiator Rekey : no State : MM_WAIT_MSG6
Solution 1: This typically means the PSKs don't match, after we fixed that we saw this. Some Mfgrs do not process special characters the same.
%ASA-vpn-4-713903: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
Oct 01 10:33:43 [IKEv1]: IP =x.x.x.x Header invalid, missing SA payload! (next payload = 4)
The other side was able to see this:
"IKE phase-1 negotiation failed. When pre-shared key is used, peer-ID must be type IP address. Received type FQDN."
These errors mean that the ASA is sending it's DNS name entry for some reason.
Solution 2: Configure "isakmp identity address"
ASA(config)# isakmp identity ?
configure mode commands/options: address Use the IP address of the interface for the identity auto Identity automatically determined by the connection type: IP address for preshared key and Cert DN for Cert based connections hostname Use the hostname of the router for the identity key-id Use the specified key-id for the identity
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...