0X00003621

IPsec IKE GetSPIFail 0x00003621 — Quick Fixes

Server & Cloud Intermediate 👁 1 views 📅 Jun 8, 2026

Windows can't get a security SPI from the IPsec driver. Usually a driver stuck or policy mismatch. We'll hit the three most common causes and get you back up.

Cause #1: IPsec Driver Service Is Stuck or Corrupted

This is the one I see most often. The IPsec driver (IKEEXT) gets into a weird state — it's running but not actually responding. This happens after a Windows Update that didn't finish clean, or if you've had a VPN connection that crashed hard. The error 0x00003621 pops up when a new Security Association (SA) tries to negotiate and the driver can't hand out a fresh SPI.

Here's how to fix it. Restart the IPsec services. This clears out any dead sessions and forces the driver to re-register itself with the kernel.

  1. Open an elevated command prompt. Press Windows + X and pick Command Prompt (Admin) or Windows PowerShell (Admin).
  2. Type these commands one at a time, hitting Enter after each:
    net stop IKEEXT
net stop PolicyAgent
net start PolicyAgent
net start IKEEXT
  3. After net start IKEEXT, wait 10 seconds. You should see The IPsec Keying Modules service was started successfully.
  4. Now try your VPN or IPsec connection again. If it works, you're done. If not, move to the next cause.

Pro tip: If restarting the services doesn't stick, or you get access denied when stopping, reboot the server. A full restart flushes everything — drivers, kernel state, the whole thing. I've seen a reboot clear this error when nothing else would.

Cause #2: Registry Key for SPI Pool Size Is Too Small

Windows reserves a pool of SPIs for IPsec. On a busy server — one handling dozens of VPN tunnels or lots of site-to-site connections — that pool can run dry. The driver then can't allocate a new SPI, and you get 0x00003621. This is especially common on Windows Server 2016 and 2019 builds that have the IPsec feature enabled with default settings.

The fix is to increase the SPI pool size via the registry. Here's the exact key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\
  1. Open Regedit (press Windows + R, type regedit, hit Enter).
  2. Go to the path above. If IPsec key doesn't exist under Services, create it: right-click Services > New > Key, name it IPsec.
  3. Inside the IPsec key, right-click in the right pane > New > DWORD (32-bit) Value. Name it MaxSPI.
  4. Double-click MaxSPI, set Base to Decimal, and enter 10000 (that's 10,000 SPIs — safe and usually enough).
  5. Click OK and close Regedit.
  6. Reboot the server for the change to take effect. After the restart, try your connection again.

You might ask: why not set it higher? Because each SPI uses a small amount of non-paged pool memory. Setting it to 65535 (the max) could cause problems on servers with limited RAM. Stick with 10000 unless you see the error again — then bump it to 20000.

Cause #3: Conflicting Third-Party Firewall or Antivirus

This one's sneaky. A third-party security suite — like Symantec Endpoint Protection, McAfee, or even some versions of Malwarebytes — can hook into the Winsock stack and interfere with IPsec. The driver can't allocate an SPI because the filter driver from the antivirus is blocking the call to the kernel's IPsec module.

The quick test: temporarily disable the third-party firewall or antivirus. No need to uninstall yet. If the error goes away, you've found the culprit.

  1. Right-click the antivirus or firewall icon in the system tray (near the clock).
  2. Select Disable or Pause protection. Usually you can pick a duration — choose 30 minutes or 1 hour.
  3. Try your IPsec connection. If it works, the security software is the problem.
  4. Now you need to add an exception or exclusion for IPsec traffic. Open your security software's settings and look for Firewall Rules or Application Control. Add an allow rule for C:\Windows\System32\svchost.exe that includes UDP ports 500 and 4500 (standard IKE ports). Also allow the service IKEEXT.
  5. Re-enable protection and test again.

If the error comes back after adding the rule, you might need to uninstall the security software completely and use Windows Defender instead. I've had cases where even with exclusions, the driver-level hook still blocks SPI allocation. It's rare but it happens.

Quick-Reference Summary Table

Cause Symptoms Fix Time to Fix
IPsec driver service stuck Error after crashed VPN, recent Windows Update Restart IKEEXT and PolicyAgent services (or reboot) 2-5 minutes
SPI pool exhausted Busy server with many tunnels, error under load Increase MaxSPI registry value to 10000 10 minutes
Third-party security software blocking Error only when security is active, works when disabled Add firewall exception for IKEEXT or uninstall security suite 15-30 minutes

If none of these work, you might be dealing with a corrupted IPsec policy store. Run netsh ipsec static reset from an admin prompt — but know this will wipe all your custom IPsec rules. Use it only as a last resort. Also check the System event log for errors from the IPsec source with ID 4294 or 4284 — those can point to a hardware issue (like a bad NIC driver). In that case, update your network adapter driver from the manufacturer's site, not Windows Update.

Was this solution helpful?

IPsec error 0x00003621 ERROR_IPSEC_IKE_GETSPIFAIL Windows IPsec driver fix SPI allocation failed IKE failed to get SPI VPN IPsec error 0x00003621 Windows Server IPsec troubleshooting reset IPsec driver netsh IPsec reset registry IPsec fix Windows 10 IPsec error