rection)
@@ -819,6 +821,8 @@ ktls_create_session(struct socket *so, struct tls_enable *en,
 			arc4rand(tls->params.iv + 8, sizeof(uint64_t), 0);
 	}
 
+	atomic_thread_fence_rel();
+	tls->gen = atomic_fetchadd_64(&ktls_glob_gen, 1);
 	*tlsp = tls;
 	return (0);
 }
@@ -861,6 +865,8 @@ ktls_clone_session(struct ktls_session *tls, int direction)
 	memcpy(tls_new->params.cipher_key, tls->params.cipher_key,
 	    tls->params.cipher_key_len);
 
+	atomic_thread_fence_rel();
+	tls_new->gen = atomic_fetchadd_64(&ktls_glob_gen, 1);
 	return (tls_new);
 }
 
@@ -1940,6 +1946,8 @@ ktls_destroy(struct ktls_session *tls)
 
 	MPASS(tls->refcount == 0);
 
+	atomic_add_acq_64(&ktls_glob_gen, 1);
+
 	inp = tls->inp;
 	if (tls->tx) {
 		wlocked = INP_WLOCKED(inp);
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
index 0e52d643fe3b..8dad53868686 100644
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -206,9 +206,12 @@ struct ktls_session {
 
 	/* Used to destroy any kTLS session */
 	struct task destroy_task;
+
+	uint64_t gen;
 } __aligned(CACHE_LINE_SIZE);
 
 extern unsigned int ktls_ifnet_max_rexmit_pct;
+extern uint64_t ktls_glob_gen;
 
 typedef enum {
 	KTLS_MBUF_CRYPTO_ST_MIXED = 0,
@@ -258,5 +261,11 @@ ktls_free(struct ktls_session *tls)
 		ktls_destroy(tls);
 }
 
+static inline bool
+ktls_session_genvis(const struct ktls_session *ks, uint64_t gen)
+{
+	return (ks != NULL && ks->gen <= gen);
+}
+
 #endif /* !_KERNEL */
 #endif /* !_SYS_KTLS_H_ */