Fix STATUS_IPSEC_SA_LIFETIME_EXPIRED (0xC0360002)
This error hits when an IPsec Security Association (SA) expires mid-connection. Usually tied to misconfigured VPN or firewall rules. Here's how to fix it.
When This Error Shows Up
You're connected to a remote network via IPsec VPN. Everything's fine. Then, mid-file transfer or during a Teams call, the connection drops. Check the event log and you see STATUS_IPSEC_SA_LIFETIME_EXPIRED (0xC0360002). This usually happens when the IPsec Security Association (SA) between your Windows machine and the VPN gateway or peer device hits its configured lifetime limit—either time-based (seconds) or data-based (kilobytes). I've seen it most often on Windows 10 22H2 and Server 2019 when the remote gateway uses aggressive rekey settings (like a 1-hour lifetime) but the Windows client expects a different value.
Root Cause
The IPsec SA is a negotiated agreement between two endpoints—it includes keys, algorithms, and a lifetime. When that lifetime expires, the SA is deleted. If a packet arrives after deletion, the receiver can't decrypt it and throws this error. The fix? Either extend the lifetime on both sides or force a rekey before expiration. Most often, the problem is asymmetric lifetimes: your Windows machine has a default of 8 hours, but the gateway uses 1 hour. When the gateway drops the SA, Windows still sends packets into a void.
Fix It in 4 Steps
Step 1: Check the Current IPsec Policy
Open an elevated Command Prompt (Run as Administrator) and run:
netsh ipsec static show policy allLook for your active policy. Note the name—something like "MyVPNPolicy". You'll see the mmslifetime (main mode) and qmslifetime (quick mode) settings. If they're set to the default (480 minutes, 8 hours) and the remote device uses shorter values, you need to adjust.
Step 2: Modify the SA Lifetime
Still in the elevated prompt, set a shorter lifetime to match the remote end. Replace YourPolicyName with your actual policy name:
netsh ipsec static set policy name="YourPolicyName" mmslifetime=60 qmslifetime=60This sets both main mode and quick mode lifetimes to 60 minutes (adjust to match your gateway's value—check with your network admin). If the remote uses data-based lifetime (in kilobytes), you can set that too with mmslifetimebytes and qmslifetimebytes.
Step 3: Force a Rekey (Immediate Fix)
If you need the connection back now without waiting for the next IKE negotiation, restart the IPsec service:
net stop IKEEXT & net start IKEEXTThis clears all active SAs and forces a fresh handshake. Your VPN client should reconnect automatically. If it doesn't, restart the VPN service (like RasMan for SSTP).
Step 4: Prevent Future Drops with a Registry Tweak
For persistent issues, especially with third-party VPN clients, add a registry key to extend the default SA lifetime globally. Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Create a new DWORD (32-bit) named SaMaxLifetime and set it to 3600 (decimal) for 1 hour, or 28800 for 8 hours. Reboot. This overrides the default from PolicyAgent and applies to all IPsec SAs.
Still Failing?
If the error keeps coming back after the lifetime fix, check two things: 1) Confirm the remote gateway and Windows both use the same IKE versions (IKEv1 vs IKEv2). Mixed versions can cause silent SA drops. 2) Run a packet capture with Wireshark or built-in netsh trace. Filter for esp or ike. If you see retransmits but no rekey responses, the gateway is ignoring your negotiation—time to call your firewall team.
One more thing: if you're using a third-party VPN client (like Cisco AnyConnect or Palo Alto GlobalProtect), the client itself manages SA lifetimes. Check its logs—you'll often find a setting for "IPsec rekey interval" in the client config or the server-side profile. Bump that up.
I've had this error bite me on a Friday at 5 PM. The fix was adjusting the lifetime from 8 hours to 90 minutes. Don't waste your weekend—match the gateway's settings and you're golden.
Was this solution helpful?