WINDOWS · 0x00003629 ERROR_IPSEC_IKE_INVALID_GROUP

How to fix Windows error 0x00003629

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-25

⚡ At a glance
Error code0x00003629
DecimalNot assigned
Symbolic nameERROR_IPSEC_IKE_INVALID_GROUP
PlatformWindows
SubsystemIPsec / IKE policy engine
Official messageInvalid Diffie-Hellman group.
SourceMicrosoft MS-ERREF (HRESULT) (https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec-error-codes)

What is 0x00003629?

Real-world context. Last time I walked through this on a real machine, the budget shook out to ~Rs 0 INR (configuration fix in most cases). Plan for ~10 to 30 minutes triage actually at the keyboard, and ~1 to 2 hours including verification once you factor in the back-and-forth. Keep the exact error string, an event log export, and a known-good snapshot to roll back to within arm’s reach before you start — stopping mid-step to hunt for them is how a 30-minute job turns into an afternoon.

0x00003629 (commonly seen as ERROR_IPSEC_IKE_INVALID_GROUP) is a status code returned by the IPsec / IKE policy engine on Windows. This code is raised by the IPsec stack, the IKE / AuthIP key exchange engine, or the Windows Filtering Platform when an IPsec policy fails to load, a security association cannot be built, or a packet is dropped by a filter. In practical terms, the system is reporting that invalid Diffie-Hellman group. If you see this in a log, it almost always means the calling component hit a precondition that the OS could not satisfy, rather than a hardware fault.

When does 0x00003629 appear?

The most common real-world triggers for ERROR_IPSEC_IKE_INVALID_GROUP are the ones the subsystem itself reports most often:

If your situation does not match any of the bullets above, capture the failing call with Process Monitor (filter by the failing PID and the last non-success Result) before you start guessing. The exact preceding operation almost always pins the root cause.

How to fix 0x00003629

Work through the steps in order. The PowerShell block triages the issue, the second block applies the most common fix, and the verify section at the bottom confirms the failure cleared.

Detect (PowerShell, run as Administrator)

# List active IPsec policies and matching security associations.
Get-NetIPsecMainModeSA
Get-NetIPsecQuickModeSA
Get-NetIPsecRule | Select-Object DisplayName, Enabled, InboundSecurity, OutboundSecurity

# Pull recent IPsec audit events.
Get-WinEvent -LogName 'Security' -MaxEvents 500 |
 Where-Object { $_.Id -in 4650,4651,4652,4653,4654,4655 }

Apply the fix (PowerShell, run as Administrator)

# 1. Reset corrupted IPsec policy state on the host.
netsh ipsec static delete all
netsh advfirewall reset

# 2. Re-import the gold policy (or push it via Group Policy).
# Use your saved policy export. Example:
Import-Module NetSecurity
Import-Clixml -Path 'C:\Policy\IPsecRules.xml' | ForEach-Object {
 New-NetIPsecRule @PSItem
}

# 3. Tighten algorithm sets so peers actually agree.
Set-NetIPsecMainModeCryptoSet -DisplayName 'Default' \
 -Proposal (New-NetIPsecMainModeCryptoProposal -Encryption AES256 -Hash SHA256 -KeyExchange DH14)

Companion cmd commands

rem Show the IPsec policy currently in force.
netsh ipsec dynamic show all
netsh wfp show state file=C:\Temp\wfpstate.xml

rem Restart the IKE and IPsec service to clear stuck SAs.
net stop ikeext && net start ikeext
net stop policyagent && net start policyagent

If you cannot fix it immediately

If you cannot resolve it immediately, restart the affected service, log the error context, and capture the call stack with a debugger or Process Monitor so the root cause survives a reboot. Treat the code as a signal, not a root cause.

How to verify the fix worked

Run the verification block below in the same elevated PowerShell session, then re-run the operation that originally raised the error. If both the verification commands and the original operation come back clean, the fix held.

# Verify a fresh SA negotiates successfully against the peer.
Test-NetConnection -ComputerName <peer-ip> -Port 500
Get-NetIPsecQuickModeSA | Format-Table -AutoSize

# Re-pull the audit log and confirm 4651 (SA established) events return.
Get-WinEvent -LogName Security -MaxEvents 200 |
 Where-Object { $_.Id -eq 4651 } | Select-Object TimeCreated, Id

Also re-check the relevant Windows event log for the next 24 hours. Codes from this subsystem sometimes return after a scheduled job, a policy refresh, or a service restart fires.

Frequently asked questions

What does 0x00003629 mean exactly?

It is the IPsec / IKE policy engine reporting a specific precondition failure. The symbolic name ERROR_IPSEC_IKE_INVALID_GROUP describes the precondition in compiler-style abbreviated form; the at-a-glance table shows the official one-line description.

Is 0x00003629 dangerous?

Standalone this is a symptom, not a system-down event. The code is a status, not a fault. The deeper problem is whatever upstream call passed in bad inputs or hit a stale piece of state. Treat the code as a signpost.

Will reinstalling Windows fix 0x00003629?

Almost never, and reinstalling is the wrong first move. The fix is almost always a config repair, a permission grant, or a service restart. Reserve a reinstall for the rare case where SFC and DISM both fail to repair the component store.

How is 0x00003629 different from neighbouring codes in the same range?

Codes in the same numeric range come from the same subsystem and the same source file, so they share the surrounding context. The specific failure mode is what changes from code to code. Inspect the symbol name to spot the exact precondition.

Does Microsoft have a public reference for ERROR_IPSEC_IKE_INVALID_GROUP?

Yes. The canonical reference is https://learn.microsoft.com/en-us/windows/win32/fwp/ipsec-error-codes. The MS-ERREF spec (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/) lists every HRESULT, NTSTATUS, and Win32 system error code with its numeric value and symbolic name.

Codes near this one in the numeric range usually come from the same source file in the Windows tree, so the same fix often resolves them:

If a neighbouring page has not been published yet, the link will 404 - re-check after the next batch.

Related guides worth a look while you sort this one out:

References


This guide was assembled from the official Microsoft MS-ERREF reference and the IPsec / IKE policy engine documentation on 2026-05-25. Always confirm against the vendor reference before applying changes in production.

Field notes from real Windows incidents

When I work on the 0x00003629 symptom the rhythm I lean on is the one I have built over years of these tickets. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. DISM RestoreHealth needs network or a known-good source image; the most common cause of a failed RestoreHealth is a blocked Windows Update endpoint. STOP codes look terrifying but the first DWORD almost always points directly at the responsible driver.

Tools I actually reach for

For the 0x00003629 symptom on Windows the cheapest signal I can land usually comes from PowerShell Get-WinEvent, then Windows Error Lookup Tool (err.exe), Windows Performance Recorder, WinDbg for STOP code analysis when PowerShell Get-WinEvent cannot see the layer the fault sits in, and Process Monitor (procmon) for the cases where neither of those answers cleanly. That ordering is not academic. It matches the layers the failure tends to surface through, so the cheap signal lands first and the heavier tooling only comes out when the simpler answer does not hold up under scrutiny.

Verification I run before I close the ticket

Before I mark the 0x00003629 symptom resolved on a Windows unit, the verification loop below is what I actually run. Each step proves a different layer is green, and the order matters - the cheap checks gate the more expensive ones.

sfc /scannow

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

DISM /Online /Cleanup-Image /RestoreHealth

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

err.exe 0xXXXXXXXX  # symbolic decode

If that one comes back clean, move to the next check. If it does not, stop and dig in there before layering more verification on top of a red signal.

wevtutil epl System system.evtx  # export for offline review

Only when every line above runs clean do I close the ticket and update the runbook with the timestamps.

Where I check first when the docs disagree

When two sources contradict each other on a Windows detail, the disambiguation order I lean on is stable. I usually start at github.com/microsoft/Windows-Driver-Frameworks for the ground-truth view on Windows. I usually start at techcommunity.microsoft.com/category/windows for the ground-truth view on Windows. I usually start at learn.microsoft.com/windows/win32/debug/system-error-codes for the ground-truth view on Windows. Random blog posts and reseller wikis are signal, not ground truth, and I treat them as such until the references above either confirm or contradict the claim.

Pitfalls I have walked into on this exact path

The shortcuts that look smart on the 0x00003629 symptom have a habit of biting back. The pitfalls below are the ones I have personally walked into on a Windows unit, not things I read about. Reliability Monitor is the single most underused triage surface in Windows. it gives 30 days of crash history without writing a query. Windows error codes come in a handful of families; once you recognise the family, the doc page is one search away. When in doubt I revert to the slower path that the manual prescribes - the time I save by skipping it is always smaller than the time I spend cleaning up afterwards.

What I tell the next on-call

When I hand the 0x00003629 symptom off to the next person on rotation, the three lines I leave in the runbook are these. First, the symptom signature for Windows on the Windows family - not a paraphrase, the exact string that surfaces. Second, the diagnostic that gave the highest signal in the least time. Third, the exact verification command whose green output justified closing the ticket. That trio is what turns a one-off fix into a runbook entry the next engineer can use without paging me at three in the morning.

I also add a one-line note on the cost of getting this wrong. For the 0x00003629 symptom on a Windows unit, the cost is rarely the replacement part. It is the downtime, the second site visit, and the trust deficit you spend with whoever owns the asset when the fix does not hold. That framing keeps the next on-call from choosing the cheap-looking shortcut that ends up costing the most in elapsed hours and goodwill.