0X0000363C

Fix ERROR_IPSEC_IKE_QM_LIMIT (0x363C) Quick Mode Limit

Windows Errors Intermediate 👁 0 views 📅 May 27, 2026

Your IPsec main mode hit the max quick mode limit. This usually happens with aggressive VPN configs or legacy hardware. Here's the fix.

Quick Answer

Run netsh ipsec static set config qmlimit=1024 or increase it to 4096 on the responder side, then reboot both VPN endpoints. That clears the stale SAs and raises the cap.

What This Error Actually Means

You're seeing ERROR_IPSEC_IKE_QM_LIMIT (0x0000363C) because Windows IPsec hits a hard limit on how many quick mode SAs can be created under a single main mode. By default, that limit is 256. Once you hit it, new IPsec negotiations fail with this error. I've seen it most often when a site-to-site VPN has aggressive rekeying — like every 5 minutes instead of 8 hours — or when a legacy device (think old Cisco ASA or Checkpoint) sends constant renegotiation requests. The main mode stays alive, but quick mode keeps spawning new SAs until it hits the ceiling.

Fix Steps (In Order of Likelihood)

  1. Check the current limit and number of SAs. Open an elevated command prompt and run:
    netsh ipsec static show config
    Look for Quick Mode Limit. If it's at the default 256, that's your problem. Also check netstat -an | find "500" or netsh ipsec static show all to see how many SAs are active.
  2. Increase the quick mode limit. The fix is simple:
    netsh ipsec static set config qmlimit=1024
    If that doesn't help, go higher — 2048 or 4096. I usually set it to 2048 on servers that see heavy VPN traffic. Then reboot both sides. Yes, reboot. Don't skip it — IPsec stack doesn't always reload the config cleanly.
  3. Flush stale SAs. If you can't reboot right away, clear the existing SAs:
    netsh ipsec static delete all
    Then re-establish your VPN connections. This drops everything and starts fresh. Use it as a temporary measure.
  4. Check the rekeying intervals on both ends. If the responder's main mode lifetime is 8 hours but the quick mode lifetime is 5 minutes, you'll hit this limit fast. Match them up. On Windows, run:
    netsh ipsec static show policy name="YourPolicyName"
    Look for MainModeLifetime and QuickModeLifetime. I set quick mode to at least 1 hour (3600 seconds) unless you have a specific security requirement.

If the Main Fix Doesn't Work

Sometimes the limit isn't the real culprit — it's a misconfigured filter or a buggy driver. Try these:

  • Update your network adapter driver. Realtek and Broadcom NICs have known IPsec issues. Get the latest from the OEM, not Windows Update.
  • Disable IPsec hardware offloading. In the NIC properties, turn off IPsec Task Offload, TCP Checksum Offload, and Large Send Offload. Reboot and test.
  • Check for third-party firewall interference. If you have Symantec, McAfee, or even Windows Defender Firewall with advanced rules, they can inject IPsec policies that conflict. Temporarily disable them to isolate the issue.
  • Increase the main mode lifetime too. If main mode rekeys quickly, it resets the quick mode counter but also causes its own headaches. Set main mode to 8 hours (28800 seconds) minimum.

Prevention Tips

First, don't set quick mode lifetimes under 30 minutes unless you really need it. Second, monitor SA counts — PowerShell script that alerts you when quick mode SAs exceed 80% of the limit. Third, on the responder side (usually the VPN server), increase the default limit via Group Policy or registry. The registry key is HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent, create a DWORD QmLimit and set it to 1024 (decimal). Finally, if you're running Windows Server 2012 R2 or older, consider upgrading to 2019 or 2022 — the IPsec stack handles rekeying significantly better.

Was this solution helpful?

IPsec IKE quick mode limit 0x363C error Windows IPsec error VPN quick mode limit main mode limit exceeded IPsec negotiation failure Windows Server VPN error IPsec IKE error quick mode limit reached fix 0x0000363C