Fix STATUS_FWP_TOO_MANY_SUBLAYERS (0XC0220036)

What’s happening when you see 0XC0220036

Windows Filtering Platform (WFP) has a hard limit of 256 sublayers. Each sublayer is a container that holds filters for things like firewall rules, VPN connections, or security software. Once you cross that limit — usually because an uninstall didn’t clean up after itself — any operation that tries to create a new sublayer fails with STATUS_FWP_TOO_MANY_SUBLAYERS (0XC0220036).

You’ll see this error in event logs, in the output of netsh wfp show state, or when a new VPN client or security tool tries to install its sublayer. The error message looks like “The maximum number of sublayers has been reached.”

The fix is straightforward: find the leftover sublayers and delete them. I’ll walk you through three approaches, starting with the one that works 90% of the time.

Cause #1: Orphaned sublayers from old VPN or security software

This is the most common cause. When you uninstall a program like Cisco AnyConnect, NordVPN, McAfee, or Symantec, it often leaves WFP sublayers behind. Those sublayers don’t get removed because the uninstaller doesn’t call the right cleanup APIs. Over time — after a few install/uninstall cycles — you hit that 256 cap.

What you need to do: Open an elevated Command Prompt or PowerShell. I’ll use PowerShell here because it’s easier to filter and format the output.

Press Windows + X and pick “Windows Terminal (Admin)” or “PowerShell (Admin)”.
Run this command to list all WFP sublayers:
```
netsh wfp show sublayers
```
This will dump a ton of text. Look for sublayers with names that match old software, like “Cisco AnyConnect”, “NordVPN”, “McAfee”, “Symantec”, or any GUID you don’t recognize. The output includes a SubLayerKey (a GUID) and a display name.
After you identify the orphaned sublayers, note their GUIDs. Then run the delete command for each one:
```
netsh wfp delete sublayer <SubLayerKey>
```
Replace <SubLayerKey> with the actual GUID, like {12345678-1234-1234-1234-123456789abc}.
After deleting a few, run netsh wfp show sublayers again to verify the count dropped. The total shows at the bottom of the output.

Expected outcome: After deleting the orphaned sublayers, the error should stop appearing. Try reinstalling the software that triggered the error. If you deleted the right ones, the installation will succeed.

Cause #2: Third-party firewall or security suite that won’t stop creating sublayers

Some security suites — especially older ones from Kaspersky, Bitdefender, or ESET — have bugs where they leak sublayers during updates or rule changes. Each time the software refreshes its rules, it creates a new sublayer without deleting the old one. You might not notice until an unrelated app tries to add its own sublayer and fails.

The diagnostic sign: If you run netsh wfp show sublayers and see dozens of sublayers with the same vendor name but slightly different GUIDs, that’s your culprit.

Open an elevated PowerShell window again.

Run this command to get a quick count:

netsh wfp show sublayers | Select-String "SubLayerKey" | Measure-Object | Select-Object Count

If the count is over 250, you’ve got a leak.

Temporarily disable or uninstall the security suite. That often deletes the sublayers it owns. If not, you’ll need to manually delete them using the same netsh wfp delete sublayer command from Cause #1.
After cleaning up, reinstall the latest version of the security suite. Most vendors fixed the leak in newer builds.

One thing to watch: If you uninstall the security suite and the sublayers don’t go away, the suite didn’t register a cleanup callback. In that case, you have to nuke them manually. I’d suggest deleting all sublayers that match the vendor’s naming pattern — but be careful not to delete system sublayers like “Microsoft Windows Firewall” or “Base Filtering Engine”. System sublayers start with “FWPM_LAYER” or names that include “Microsoft”.

Cause #3: Corrupted or misconfigured Windows Filtering Platform store

This one’s rare, but I’ve seen it happen after a botched Windows update or a system restore that didn’t fully restore the WFP state. In this case, the sublayer count itself might be under 256, but the internal store is corrupted — so WFP thinks it’s full and throws the error.

How to check: Run netsh wfp show sublayers and look at the last line. If it says “Total: 200” but you still get the error, suspect corruption.

Open an elevated Command Prompt.
Reset the WFP store with this command:
```
netsh wfp reset
```
This resets the entire WFP configuration. It will remove all sublayers — including the ones from your current firewall and VPN software. You’ll need to reinstall those after.
Reboot the machine.
Reinstall your VPN client, firewall, or security software one at a time. Test the error after each install.

Important: This is a hard reset. Don’t do this lightly. It’ll wipe all WFP state, which means any custom firewall rules, IPsec policies, or app container rules will vanish. Only use this as a last resort if the manual deletion didn’t work and you’re still hitting the cap.

Quick-reference summary table

Cause	Symptoms	Fix	Time to fix
Orphaned sublayers from old VPN/security software	Sublayer count near 256; leftover GUIDs from old apps	`netsh wfp delete sublayer <GUID>` for each orphan	10-20 minutes
Third-party security suite leaking sublayers	Many sublayers with same vendor name; count grows over time	Uninstall suite, delete its sublayers, reinstall latest version	30 minutes
Corrupted WFP store	Error appears even with sublayer count under 256	`netsh wfp reset` then rebuild	1 hour (including reinstalls)

Start with Cause #1. It’s the most common and least destructive. If you’re comfortable with PowerShell, you can even script the deletion of sublayers by name — but I’d recommend doing it manually the first time so you don’t accidentally delete something important. The extra few minutes are worth the peace of mind.