Support Center > Search Results > SecureKnowledge Details
IKEv2 fails repeatedly with "Message::addPayload: Too many payloads" error in the debug of VPND daemon Technical Level
Symptoms
  • Debug of VPND daemon (per sk89940) repeatedly shows:

    [ikev2] SAPayload: Proposal list contains 1 IKE proposals
    [ikev2] Message::addPayload: Added payload 1 (SecurityAssociation)
    ... ...
    [ikev2] Message::addPayload: Added payload 2 (KeyExchange)
    ... ...
    [] GetEntryIsakmpObjectsHash: received ipaddr: X.X.X.X as key, found fwobj: ...
    [] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for X.X.X.X returned obj: 0x...
    ... ...
    [ikev2] Message::addPayload: Added payload 3 (Nonce)
    ... ...
    [ikev2] natTraversalHandler::createNatDetectSource: my port: 500.
    ... ...
    [ikev2] natTraversalHandler::createNatDetectSource: creating Notify payload for interface X.X.X.X, port 500 (index ...)
    [ikev2] natTraversalHandler::createNatTNotifyPayload: spi-i: ..., spi-r: ..., ip: X.X.X.X, port: 500
    [ikev2] Message::addPayload: Added payload 4 (Notify)
    ... ...
    [ikev2] Message::addPayload: Added payload 5 (Notify)
    ... ...
    [ikev2] Message::addPayload: Added payload 6 (Notify)
    ... ...
    [ikev2] Message::addPayload: Added payload 25 (Notify)
    [ikev2] natTraversalHandler::createNatDetectSource: creating Notify payload for interface X.X.X.X, port 500 (index ...)
    [ikev2] natTraversalHandler::createNatTNotifyPayload: spi-i: ..., spi-r: ..., ip: X.X.X.X, port: 500
    [ikev2] Message::addPayload: Too many payloads
    [ikev2] natTraversalHandler::createNatTNotifyPayload: Failed setting Notify payload on message
    [ikev2] Exchange::startPrepareMessage: error encountered. has notifications to send: 0
    [ikev2] Message::~Message: entering
    [ikev2] Exchange::setStatus: Changing status from: initial to: failure (final)
Cause

Security Gateway with configured VTI interfaces sends the IKEv2 "NAT_DETECTION_SOURCE_IP" payload with IP address of its VTI interfaces, even though VTI interfaces are not supported in IKEv2.
If there are more than 25 configured VTI interfaces, then "Too many payloads" error occurs and IKEv2 negotiation fails.

Example:

Security Gateway participates in two VPN Site-to-Site communities:

  • for one VPN community, Security Gateway uses VTI (with IKEv1):
    Community1: GWa <-> GWb, IKEv1, Route Based VPN, VTI (so GWa would have encryption domain of empty group)
  • for the VPN other community, Security Gateway uses IKEv2:
    Community2: GWa <-> GWc, IKEv2 (GWc would have encryption domain)

Solution
Note: To view this solution you need to Sign In .