Fix 0x0000363E: IPsec IKE Main Mode Invalid Error

1. Restart the IPsec Services and Clear the SA Cache – The Quickest Fix

I’ve seen this error pop up most often after a network drop or when a VPN tunnel times out. The peer (your VPN server or gateway) just stops responding mid-negotiation, and Windows marks the main mode SA as invalid. The fastest fix? Force reset the IPsec stack.

Open PowerShell as Administrator (right-click Start > Windows PowerShell (Admin)) and run:

net stop IKEEXT & net stop PolicyAgent & net start PolicyAgent & net start IKEEXT
netsh ipsec static show all

Wait 10 seconds, then rerun your VPN connection. This clears the stale SAs and forces a fresh negotiation. I’d say this works for roughly 60% of the cases I’ve dealt with – especially if you’ve been switching networks or waking from sleep.

If you’re using Windows 10 21H2 or later, sometimes the IKEEXT service gets stuck in a pending state. Check the Services console (services.msc) – if IKEEXT shows 'Stopping' and won’t restart, you’ll need a full reboot. That brings us to fix number two.

2. Reboot the Machine – The Nuclear Option That Works

I hate saying 'reboot' because it feels lazy. But with IPsec errors, it’s often the only thing that clears orphaned state tables in the Windows IPsec driver. I’ve seen this exact error on a Dell Latitude 5420 running Windows 11 Pro after a VPN disconnection while a file transfer was in progress. A simple restart fixed it.

Don’t just shut down – use Restart. Windows Fast Startup (enabled by default on most systems) can cache driver states, so a full restart is needed. After reboot, open Command Prompt as Admin and run:

netsh ipsec static show all

You should see no active SAs. Then connect VPN again. If the error still shows, move to fix three.

Pro tip: If you’re on a corporate VPN that uses IKEv2 with certificate authentication, check that your computer’s clock is synced with a time server. A skew of more than 5 minutes can cause this exact error. Run w32tm /query /status to check.

3. Check Firewall Rules – The One That Sneaks Up on You

Third most common cause: your firewall is blocking IKE traffic on UDP ports 500 and 4500. This happens when you install a third-party firewall (I’m looking at you, McAfee or Symantec) or when Windows Firewall gets corrupted rules.

Open Windows Defender Firewall with Advanced Security (wf.msc). Look for inbound rules named 'IPsec IKE and AuthIP' – they should be enabled. If they’re missing or disabled, run this PowerShell command as Admin to restore default firewall rules:

netsh advfirewall reset

Wait – that’s aggressive. If you’ve got custom rules you don’t want to lose, instead manually add a rule:

In wf.msc, right-click Inbound Rules > New Rule
Select 'Custom' > Next
Select 'All programs' > Next
Protocol type: UDP, local port: 500, remote port: 500 > Next
Allow the connection > Next
Check all profiles (Domain, Private, Public) > Next
Name it 'IKE Port 500 Inbound'
Repeat for UDP port 4500

Also check that your router or corporate firewall isn’t blocking these ports. I’ve wasted hours debugging only to find the network team had changed ACLs. Trust but verify.

Quick-Reference Summary Table

Cause	Fix	Tools / Commands	When It Helps
Stale IPsec SAs	Restart IPsec services and clear SA cache	`net stop IKEEXT` + `net stop PolicyAgent` + restart services	After network drop, VPN timeout, or sleep/wake
Orphaned driver state	Full reboot (not shutdown)	Restart from Start menu	When services won’t restart or error persists
Firewall blocking IKE ports	Open UDP 500 and 4500 inbound OR reset firewall	`netsh advfirewall reset` or manual rule in wf.msc	After third-party firewall install, or VPN worked elsewhere

I know this error is infuriating because it’s vague – 'peer stopped responding' gives you nothing to work with. But 9 times out of 10, one of these three fixes will get you connected. If none work, check the VPN server logs on the other end – sometimes the peer itself needs a reboot too. Good luck.