diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -595,6 +595,8 @@
 	return (error);
 }
 
+uint64_t ktls_glob_gen = 1;
+
 static int
 ktls_create_session(struct socket *so, struct tls_enable *en,
     struct ktls_session **tlsp, int direction)
@@ -819,6 +821,8 @@
 			arc4rand(tls->params.iv + 8, sizeof(uint64_t), 0);
 	}
 
+	atomic_thread_fence_rel();
+	tls->gen = atomic_fetchadd_64(&ktls_glob_gen, 1);
 	*tlsp = tls;
 	return (0);
 }
@@ -861,6 +865,8 @@
 	memcpy(tls_new->params.cipher_key, tls->params.cipher_key,
 	    tls->params.cipher_key_len);
 
+	atomic_thread_fence_rel();
+	tls_new->gen = atomic_fetchadd_64(&ktls_glob_gen, 1);
 	return (tls_new);
 }
 
@@ -1940,6 +1946,8 @@
 
 	MPASS(tls->refcount == 0);
 
+	atomic_add_acq_64(&ktls_glob_gen, 1);
+
 	inp = tls->inp;
 	if (tls->tx) {
 		wlocked = INP_WLOCKED(inp);
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -206,9 +206,12 @@
 
 	/* Used to destroy any kTLS session */
 	struct task destroy_task;
+
+	uint64_t gen;
 } __aligned(CACHE_LINE_SIZE);
 
 extern unsigned int ktls_ifnet_max_rexmit_pct;
+extern uint64_t ktls_glob_gen;
 
 typedef enum {
 	KTLS_MBUF_CRYPTO_ST_MIXED = 0,
@@ -258,5 +261,11 @@
 		ktls_destroy(tls);
 }
 
+static inline bool
+ktls_session_genvis(const struct ktls_session *ks, uint64_t gen)
+{
+	return (ks != NULL && ks->gen <= gen);
+}
+
 #endif /* !_KERNEL */
 #endif /* !_SYS_KTLS_H_ */