Knowledge

ERROR_IPSEC_IKE_ADD_UPDATE_KEY_FAILED - 13860 (0x3624)

Failed to add Security Association to IPsec Driver. The most common cause for this is if the IKE negotiation took too long to complete. If the problem persists, reduce the load on the faulting machine.

Updated: Feb 21, 2026

Technical Background

The ERROR_IPSEC_IKE_ADD_UPDATE_KEY_FAILED error (13860, 0x3624) indicates a failure in the IPsec driver to add or update a Security Association (SA) during Internet Key Exchange (IKE) negotiation. This error is specific to the IPsec subsystem and its interaction with IKE.

Error Details

The primary cause of this error is typically related to timing issues during the IKE negotiation process. The negotiation may have taken too long, leading to a failure in adding or updating the SA within the expected timeframe by the IPsec driver.

Common Causes

  • Exceeding Negotiation Time Limits: The IKE negotiation process did not complete within the allowable time frame set by the system or application.
  • Resource Constraints: Insufficient resources, such as processing power or memory, may have prevented the completion of the SA addition or update.

Real-World Context

This error can occur in various scenarios where IPsec is used for secure communication. For example, it might be encountered during the initial setup of a secure connection between two endpoints or when attempting to modify an existing SA due to changes in security policies.

Is This Error Critical?

The criticality of this error depends on the context and the impact on the system's ability to establish or maintain secure communications. If the error persists, it may lead to communication failures or security vulnerabilities.

How to Diagnose

To diagnose this issue, follow these steps:

  1. Review Operation Context: Ensure that the IKE negotiation is being initiated under appropriate conditions and not in a context where timing constraints are too tight.
  2. Validate Parameters: Check all parameters passed during the IKE negotiation process for validity and correctness.
  3. Confirm Object Types: Verify that the objects involved (e.g., Security Associations) are of the correct type and properly configured.
  4. Verify Input Data: Ensure that any input data required by the IPsec driver is valid and not corrupted.
  5. Check Limits or Constraints: Confirm that system limits, such as maximum number of concurrent SA updates, have not been exceeded.

How to Resolve

To resolve this issue, consider the following steps:

  1. Correct Parameter Usage: Ensure all parameters are correctly set according to the expected values and constraints.
  2. Adjust Operation Context: If timing issues are suspected, adjust the operation context to allow for longer negotiation times or reduce the load on the system during negotiations.
  3. Restore Data: In cases where data corruption is a factor, restore the correct configuration or data.
  4. Retry Operation with Valid Inputs: Attempt to reinitiate the IKE negotiation process with valid inputs and ensure that all prerequisites are met.

Developer Notes

When developing applications that use IPsec for secure communication, it is crucial to handle timing constraints appropriately and ensure that all parameters and configurations are correct. Developers should also be aware of system limits and resource constraints that may impact the successful establishment or modification of Security Associations.

Related Errors

  • ERROR_IPSEC_IKE_NEGOTIATION_FAILED (13859, 0x3623): Indicates a failure in initiating IKE negotiation.
  • ERROR_IPSEC_IKE_PROCESSING_ERROR (13874, 0x365e): Indicates an error during the processing of IKE messages.

FAQ

Q: What does the ERROR_IPSEC_IKE_ADD_UPDATE_KEY_FAILED error mean?

A: This error indicates a failure in adding or updating a Security Association due to timing issues during IKE negotiation.

Q: How can I prevent this error from occurring?

A: Ensure that all parameters are correctly set, verify object types and input data, and adjust operation context if necessary to avoid timing constraints.

Q: What is the impact of this error on system security?

A: If not addressed, this error may lead to communication failures or security vulnerabilities due to unestablished secure connections.

Summary

The ERROR_IPSEC_IKE_ADD_UPDATE_KEY_FAILED error (13860, 0x3624) is a specific issue related to the IPsec driver's inability to add or update Security Associations during IKE negotiation. It can be caused by timing issues and resource constraints. Proper diagnosis and resolution involve validating parameters, adjusting operation context, and ensuring correct data and configurations.