0X00003648

Fix ERROR_IPSEC_IKE_TOO_MANY_FILTERS 0X00003648

Windows Errors Intermediate 👁 0 views 📅 May 26, 2026

This error means IPsec has too many dynamic filters. Usually caused by third-party VPN software or bad firewall rules. Here's how to clear them out.

You're setting up a VPN connection—maybe L2TP/IPsec or IKEv2—and it bombs out with this error. The connection just won't establish, and Event Viewer shows ERROR_IPSEC_IKE_TOO_MANY_FILTERS (0X00003648). I've seen this most often after someone installed a third-party VPN client (like Cisco AnyConnect or a SonicWall client) and then uninstalled it but left filters behind. Or you've got a misconfigured firewall rule that's spamming the IPsec Security Association (SA) with dynamic filters. Either way, you've hit the default limit of 256 dynamic filters in the IKEEXT service, and Windows won't add more until you clean house.

What's happening under the hood

The IKEEXT service manages IPsec policies and filters. Dynamic filters are temporary rules that get added when a VPN connection starts. Normally they clean themselves up when the connection drops. But if something crashes or doesn't release those filters—like a buggy VPN driver or a stuck service—they pile up. Once you cross 256, any new connection request fails with this error.

I had a client last month whose entire print queue died because of this—well, not the queue itself, but the VPN to their print server died. Every hour they'd get this error. Turned out the SonicWall Global VPN client they'd uninstalled three months ago left 200+ orphaned filters. Classic.

Fix it: clear the filters and stop the leak

Here's the step-by-step. You'll need admin rights. No reboot required for the first part, but you'll need one later to be safe.

Step 1: Check the current filter count

Open an elevated Command Prompt (right-click, Run as administrator) and run:

netsh ipsec dynamic show all

Scroll to the bottom. You'll see something like "Total dynamic filters: 278". If it's over 256, that's your problem.

Step 2: Delete all dynamic filters

Still in the same command prompt, run:

netsh ipsec dynamic delete all

This wipes every dynamic filter—including any your current VPN needs temporarily. That's fine. The next time you connect, it'll recreate fresh ones. Run the show command again to confirm the count drops to zero or near zero.

Step 3: Restart the IKEEXT service

This forces a clean slate. Run:

net stop IKEEXT & net start IKEEXT

If the service won't stop, you can force it with sc stop IKEEXT but that's rare. After restart, try your VPN again.

Step 4: Find and kill the filter leak

If you don't fix the source, the filters will just grow back in a day. Here's how to find the culprit:

  • Open Event Viewer, go to Applications and Services Logs > Microsoft > Windows > IKEEXT.
  • Look for warnings or errors with event IDs 4650 or 4651. These log when filters are added. Note the source process name (like svchost.exe with a specific PID).
  • Check Task Manager for that PID. If it's tied to a third-party service (e.g., SavService.exe from Sophos, or vpnagent.exe from Cisco), disable or update it.
  • If it's svchost.exe hosting the Remote Access or Routing and Remote Access service, you might have a stale VPN adapter or route. In that case, uninstall the VPN adapter from Network Connections, then delete it from Device Manager (show hidden devices).

Step 5: Prevent it from happening again

If you can't fix the leak, you can raise the limit. The default is 256, but you can bump it to 512 or 1024. This is a registry edit, so back it up first.

  • Open regedit as admin.
  • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IKEEXT\Parameters.
  • Create a DWORD (32-bit) named MaxDynamicFilters.
  • Set it to 512 (decimal) or 1024 if you're feeling brave.
  • Reboot.

I've used 512 for years on servers that run multiple VPN tunnels. Never had a problem.

What if it still fails?

After clearing filters and restarting, if the error returns immediately:

  • Check for third-party firewall software. Things like Norton, McAfee, or even Windows Defender's advanced features can inject IPsec rules. Temporarily disable them.
  • Look at your IPsec policies. Run secpol.msc and see if there are aggressive connection security rules that auto-add filters. You might need to delete or disable custom rules.
  • If you're using a VPN client, reinstall it clean. I've seen older versions of the Cisco AnyConnect client leak filters like a sieve. Update to the latest.
  • As a last resort, do a netsh int ip reset and netsh winsock reset, then reboot. That's the nuclear option, but it clears Winsock corruption that sometimes triggers IPsec filter storms.

Any one of these steps should get you back online. If not, you've got a deeper issue, like a kernel driver that's creating filters—that's rare, but it happens. In that case, check the System log for driver-related errors and update your NIC drivers.

Was this solution helpful?

ERROR_IPSEC_IKE_TOO_MANY_FILTERS 0X00003648 IPsec IKEEXT too many filters Windows VPN firewall rules netsh ipsec dynamic filters fix ipsec error clear ipsec filters Windows 10 Windows Server VPN connection fails filter limit