diff --git a/sys/kern/uipc_ktls.c b/sys/kern/uipc_ktls.c
index 66ce1b5a081d..35009ad77722 100644
--- a/sys/kern/uipc_ktls.c
+++ b/sys/kern/uipc_ktls.c
@@ -1406,6 +1406,9 @@ ktls_enable_tx(struct socket *so, struct tls_enable *en)
 	if (error)
 		return (error);
 
+	/* some ktls offload NICs require initial seqno to start offload */
+	tls->initial_offload_seqno = be64dec(en->rec_seq);
+
 	/* Prefer TOE -> ifnet TLS -> software TLS. */
 #ifdef TCP_OFFLOAD
 	error = ktls_try_toe(so, tls, KTLS_TX);
diff --git a/sys/sys/ktls.h b/sys/sys/ktls.h
index a940bcfaba25..6c7e7d3c5ee3 100644
--- a/sys/sys/ktls.h
+++ b/sys/sys/ktls.h
@@ -221,9 +221,12 @@ struct ktls_session {
 	bool tx;
 	bool sync_dispatch;
 	bool sequential_records;
-
-	/* Only used for TLS 1.0. */
-	uint64_t next_seqno;
+	union {
+		/* Only used for TLS 1.0. */
+		uint64_t next_seqno;
+		/* Needed by some ktls offload NICs */
+		uint64_t initial_offload_seqno;
+	};
 	STAILQ_HEAD(, mbuf) pending_records;
 
 	/* Used to destroy any kTLS session */