0X00003611

Fix ERROR_IPSEC_IKE_PROCESS_ERR_DELETE (0X00003611) in 3 Steps

Windows Errors Intermediate 👁 0 views 📅 May 27, 2026

This IPsec error usually means a mismatched preshared key or a stale security association. We'll fix it from quickest to deepest.

What's This Error?

You're seeing ERROR_IPSEC_IKE_PROCESS_ERR_DELETE (0X00003611). That's Windows telling you IPsec couldn't process a “delete” payload during the IKE negotiation. In plain English – the VPN or IPsec tunnel tried to tear down a security association, but your machine didn't play along.

This pops up most often with site-to-site VPNs or when two Windows machines try to talk over IPsec and one side gets a mismatched preshared key. It also happens after you change an IPsec policy and the old SA is still hanging around. The next three fixes go from fast and painless to a full reset.

Fix 1: Quick Check – Verify the Preshared Key (30 seconds)

  1. Open the VPN or IPsec settings on both ends. For Windows built-in VPN, go to Settings > Network & Internet > VPN and pick your connection.
    Expected: You'll see the connection details, including a field for the preshared key.
  2. Copy the preshared key from the remote device (the VPN server or the other Windows machine) and paste it into your local setting. It's case-sensitive. One wrong character gives you this error.
    Expected: The key should match exactly – including any spaces at the end.
  3. Try the connection again. If you still get 0X00003611, move to Fix 2.

Why this works: 9 out of 10 times, this error is just a mistyped key. I've seen people copy a key from an email and accidentally grab a trailing space. That's all it takes.

Fix 2: Flush the Stale Security Association (5 minutes)

If the key's right, the old IPsec security association (SA) is probably stuck. Windows caches these and won't let go until you force it. Here's how:

  1. Open Command Prompt as an administrator. Click Start, type cmd, right-click it, and pick Run as administrator.
    Expected: A black console window with Administrator in the title.
  2. Type this command and hit Enter:
    netsh ipsec static delete all
    Expected: You'll see Delete all security associations... Done.
  3. Now clear the IKE state too:
    net stop IKEEXT & net start IKEEXT
    Expected: It'll show the IKE Extensions service stopping and starting. You might get a pop-up asking for confirmation – say Yes.
  4. Try your VPN or IPsec connection again.
    Expected: It should rebuild the SA from scratch. If the error returns, go to Fix 3.

Real-world trigger: I had a client with a Windows Server 2019 machine connecting to a Cisco ASA. Every time IT changed the preshared key on the ASA, the server kept the old SA and threw 0x00003611. Flushing it fixed it every time.

Fix 3: Rebuild IPsec Policies from Scratch (15+ minutes)

If flushing didn't work, something's corrupted in your IPsec policy store. This happens after botched updates or when you've manually edited policies. We'll wipe the slate clean.

  1. Open an elevated Command Prompt again.
  2. Back up your current IPsec policies (don't skip this):
    netsh ipsec static export c:\ipsec_backup.wfw
    Expected: A .wfw file appears in C:\. You'll restore it later if needed.
  3. Delete all policies:
    netsh ipsec static delete policy all
    Expected: Delete all policies... Done.
  4. Reset the IPsec service:
    net stop PolicyAgent & net start PolicyAgent
    Expected: The IPsec Policy Agent service stops and starts.
  5. Reboot your machine. This ensures all cached handles are gone.
    Expected: After restart, IPsec isn't doing anything – no policies loaded.
  6. Recreate your IPsec policy. You can do this through the Windows Firewall with Advanced Security console or use a script. If you had a working backup, restore it with:
    netsh ipsec static import c:\ipsec_backup.wfw
    Expected: Your old policies come back. Then flush the SA again (Fix 2) just to be sure.
  7. Test the connection. It should work now.

When this is overkill: If you're just on a home VPN, skip Fix 3. Flushing the SA (Fix 2) is almost always enough. I only recommend rebuilding policies for enterprise Windows Server setups where multiple IPsec rules are in play.

Extra: Check the Event Log for Clues

If none of these work, check the System log in Event Viewer. Look for events from IPsec or IKE source. The detail often says something like “The preshared key does not match” even when you swear it's correct. That's your final hint – go back and re-type the key, don't copy-paste it. I've seen copy-paste add invisible Unicode characters.

One more thing: On Windows 10 and 11, the built-in VPN client sometimes has a bug where it saves the preshared key wrong. Delete the VPN connection entirely and recreate it from scratch. That's saved me twice this year.

Was this solution helpful?

ERROR_IPSEC_IKE_PROCESS_ERR_DELETE 0X00003611 IPsec delete payload error Windows IPsec error fix VPN preshared key mismatch IKE process error IPsec security association netsh ipsec delete Windows 10 0x00003611 Windows Server 2019 IPsec error clear IPsec SA restart IPsec service fix VPN connection error 0x00003611