diff --git a/lib/secure-streams/secure-streams-serialize.c b/lib/secure-streams/secure-streams-serialize.c
index 94109fa01..a14b2b7e3 100644
--- a/lib/secure-streams/secure-streams-serialize.c
+++ b/lib/secure-streams/secure-streams-serialize.c
@@ -841,6 +841,15 @@ payload_ff:
 			if (par->ctr == sizeof(par->streamtype) - 1)
 				goto hangup;
 
+			/*
+			 * We can only expect to get this if we ourselves are
+			 * in the state that we're waiting for it.  If it comes
+			 * later it's a protocol error.
+			 */
+
+			if (*state != LPCSPROX_WAIT_INITIAL_TX)
+				goto hangup;
+
 			/*
 			 * We're the proxy, creating an SS on behalf of a
 			 * client