Fix ERROR_IPSEC_IKE_QM_EXPIRED (0X00003647) Quick Mode SA Expired

Mismatched Quick Mode SA Lifetime Settings

This is the most common cause of error 0x00003647. What's actually happening here is the IPsec quick mode security association (SA) on one side of the tunnel has a shorter lifetime than the other. When the first side renews its SA, the other side thinks the old one is still valid — or vice versa. The result: the IPsec driver throws 0x00003647 and the VPN drops.

I see this most often on Windows 10/11 clients connecting to a Windows Server 2016/2019/2022 VPN or a third-party firewall like pfSense or Fortinet. The default quick mode lifetime on Windows is 3600 seconds (1 hour) with a default of 0 seconds offset. But some firewalls default to 28800 seconds, or 2700 seconds, and the mismatch kills the tunnel at the first renewal.

How to check and fix on the Windows client

1. Open an elevated PowerShell or Command Prompt.
2. Run netsh advfirewall consec show rule name="VPN_Name" (replace VPN_Name with your connection name).
3. Look for qmsa-lifetime and qmsa-lifetime-offset. If they're not set, Windows uses the default.
4. Match these values to your server or firewall. Most common fix: set both to 3600 seconds, 0 offset.

netsh advfirewall consec set rule name="VPN_Name" qmsa-lifetime=3600 qmsa-lifetime-offset=0

How to check on Windows Server (VPN server side)

1. Open Routing and Remote Access (RRAS) MMC.
2. Right-click the server name, go to Properties > Security > IPsec Settings.
3. Click "Customize" under Quick Mode SA lifetime. Set it to 3600 minutes (note: it's minutes here, not seconds).
4. Apply and restart the RRAS service: net stop remoteaccess && net start remoteaccess

The reason this fix works is simple: both sides now agree on when the quick mode SA expires. Without the mismatch, the IPsec driver has no reason to throw 0x00003647 at renewal time.

NAT Keepalive Interference with Quick Mode SA

The second most common trigger is NAT keepalive packets colliding with the quick mode SA expiration. If you're behind any NAT device (home router, corporate firewall, cellular hotspot), the IPsec NAT keepalive sends small UDP packets to keep the NAT mapping alive. But certain routers or ISPs handle these badly, leading to the quick mode SA being silently dropped on one side while the other side still thinks it's active.

I've seen this mostly on Windows 10/11 machines behind consumer routers (Netgear, TP-Link) or corporate proxies that rewrite UDP ports. The error pops up at random intervals — not exactly at the lifetime boundary — because the keepalive gets lost or delayed.

Fix: Increase NAT keepalive interval or disable it

1. Open an elevated Command Prompt.
2. Check the current keepalive interval: netsh advfirewall show global and look for nat-keepalive-interval (default is 20 seconds).
3. Set it to a higher value or disable: netsh advfirewall set global nat-keepalive-interval=60 or netsh advfirewall set global nat-keepalive-interval=0 to disable.
4. Reboot or restart the IPsec service: net stop ipsec && net start ipsec

Why raising the interval helps: the keepalive packets are less frequent, so they're less likely to clash with the exact moment the quick mode SA renews. Disabling it works if you're not behind NAT (direct public IP on both ends). But if you are behind NAT, disabling may cause the tunnel to drop entirely after a few minutes of inactivity. Test with 60 seconds first.

Corrupt or Outdated IPsec Driver

This is rarer but worth checking if the first two fixes don't help. The IPsec driver itself can get corrupted after a Windows Update or if you've recently uninstalled VPN software that modified the IPsec stack. I've traced this to leftover registry entries from old Cisco AnyConnect, OpenVPN, or WireGuard clients that didn't clean up after themselves.

Verify and repair the IPsec driver

1. Open Device Manager (devmgmt.msc).
2. Go to View > Show hidden devices.
3. Expand "Non-Plug and Play Drivers". Look for IPsec or IPsec IKE.
4. Right-click it, select Properties > Driver tab. Check the driver date and version.
5. If it's older than the last major Windows Update (e.g., older than 2022), or you see a yellow warning, run an SFC scan and then a DISM repair.

sfc /scannow
dism /online /cleanup-image /restorehealth

6. After both complete, reboot and test the VPN connection.

You can also reset the IPsec stack entirely, but this is nuclear — it clears all your firewall rules and VPN connections:

netsh int ip reset
netsh advfirewall reset

Only do that reset if you're ready to reconfigure everything. The reason the SFC/DISM approach works first is it fixes system file corruption without nuking your settings. If the driver is genuinely broken, though, the reset is the clean fix.

Quick-Reference Summary Table

If none of these work, check the event logs under Applications and Services Logs > Microsoft > Windows > IPsec for more specific failure codes. The 0x00003647 error is almost always a lifetime or keepalive issue on Windows, though — I'd bet on the first fix resolving it 80% of the time.