diff --git a/share/man/man4/ktls.4 b/share/man/man4/ktls.4
--- a/share/man/man4/ktls.4
+++ b/share/man/man4/ktls.4
@@ -204,6 +204,16 @@
 .Va kern.ipc.mb_use_ext_pgs
 sysctl controls whether the kernel may use unmapped mbufs.
 They are required for TLS transmit.
+.Pp
+When using TCP_TLS_MODE_IFNET on
+.Xr lagg 4
+interfaces, you must enable lagg's
+use_flowid option, either via setting the
+.Va net.link.lagg.default_use_flowid
+sysctl to 1 prior to creating the lagg, or by using the
+.Xr ifconfig 8
+.Va use_flowid
+flag.
 .Ss Supported Hardware
 The
 .Xr cxgbe 4
diff --git a/sys/net/if_lagg.c b/sys/net/if_lagg.c
--- a/sys/net/if_lagg.c
+++ b/sys/net/if_lagg.c
@@ -1848,11 +1848,13 @@
 {
 	struct epoch_tracker et;
 	const struct if_snd_tag_sw *sw;
+	struct lagg_softc *sc;
 	struct lagg_snd_tag *lst;
 	struct lagg_port *lp;
 	struct ifnet *lp_ifp;
 	struct m_snd_tag *mst;
 	int error;
+	static bool warned;
 
 	switch (params->hdr.type) {
 #ifdef RATELIMIT
@@ -1885,6 +1887,14 @@
 	lp = lookup_snd_tag_port(ifp, params->hdr.flowid,
 	    params->hdr.flowtype, params->hdr.numa_domain);
 	if (lp == NULL) {
+		sc = ifp->if_softc;
+		if (!warned && (sc->sc_opts & LAGG_OPT_USE_FLOWID) == 0 &&
+		    (sc->sc_proto == LAGG_PROTO_LOADBALANCE ||
+		     sc->sc_proto == LAGG_PROTO_LACP)) {
+			warned = true;
+			if_printf(ifp,
+			    "Must enable use_flowid to use NIC kTLS or RATELIMIT. See lagg(4)\n");
+		}
 		NET_EPOCH_EXIT(et);
 		return (EOPNOTSUPP);
 	}