diff --git a/router/java/src/net/i2p/router/crypto/ratchet/ECIESAEADEngine.java b/router/java/src/net/i2p/router/crypto/ratchet/ECIESAEADEngine.java
index 1a1275a92a..481acd7245 100644
--- a/router/java/src/net/i2p/router/crypto/ratchet/ECIESAEADEngine.java
+++ b/router/java/src/net/i2p/router/crypto/ratchet/ECIESAEADEngine.java
@@ -349,6 +349,7 @@ public final class ECIESAEADEngine {
         // part 2 - payload
         byte[] encpayloadkey = new byte[32];
         _hkdf.calculate(k_ba, ZEROLEN, INFO_6, encpayloadkey);
+        rcvr.initializeKey(encpayloadkey, 0);
         byte[] payload = new byte[data.length - (TAGLEN + KEYLEN + MACLEN + MACLEN)];
         try {
             rcvr.decryptWithAd(hash, data, TAGLEN + KEYLEN + MACLEN, payload, 0, payload.length + MACLEN);
@@ -659,8 +660,9 @@ public final class ECIESAEADEngine {
         // part 2 - payload
         byte[] encpayloadkey = new byte[32];
         _hkdf.calculate(k_ba, ZEROLEN, INFO_6, encpayloadkey);
+        sender.initializeKey(encpayloadkey, 0);
         try {
-            sender.encryptWithAd(tag, payload, 0, enc, TAGLEN + KEYLEN + MACLEN, payload.length);
+            sender.encryptWithAd(hash, payload, 0, enc, TAGLEN + KEYLEN + MACLEN, payload.length);
         } catch (GeneralSecurityException gse) {
             if (_log.shouldWarn())
                 _log.warn("Encrypt fail NSR part 2", gse);
diff --git a/router/java/src/net/i2p/router/crypto/ratchet/RatchetSKM.java b/router/java/src/net/i2p/router/crypto/ratchet/RatchetSKM.java
index 4c5ea7a3aa..ba14c6888c 100644
--- a/router/java/src/net/i2p/router/crypto/ratchet/RatchetSKM.java
+++ b/router/java/src/net/i2p/router/crypto/ratchet/RatchetSKM.java
@@ -427,12 +427,17 @@ public class RatchetSKM extends SessionKeyManager implements SessionTagListener
             return null;
         }
         HandshakeState state = tagSet.getHandshakeState();
+        synchronized(tagSet) {
+            key = tagSet.consume(tag);
+        }
+        if (key == null) {
+            if (_log.shouldDebug())
+                _log.debug("tag " + tag + " not found in tagset!!! " + tagSet);
+        }
         if (state != null) {
-            key = new SessionKeyAndNonce(state);
             if (_log.shouldDebug())
                 _log.debug("IB NSR Tag consumed: " + tag + " from: " + tagSet);
         } else {
-            key = tagSet.consume(tag);
             if (_log.shouldDebug())
                 _log.debug("IB ES Tag consumed: " + tag + " from: " + tagSet);
         }
diff --git a/router/java/src/net/i2p/router/crypto/ratchet/RatchetTagSet.java b/router/java/src/net/i2p/router/crypto/ratchet/RatchetTagSet.java
index 9c3d7e286e..aaebf95ab4 100644
--- a/router/java/src/net/i2p/router/crypto/ratchet/RatchetTagSet.java
+++ b/router/java/src/net/i2p/router/crypto/ratchet/RatchetTagSet.java
@@ -223,6 +223,13 @@ class RatchetTagSet implements TagSetHandle {
         int tagnum = _sessionTags.keyAt(idx);
         _sessionTags.removeAt(idx);
 
+        // NSR
+        if (_state != null) {
+            addTags(tagnum);
+            return new SessionKeyAndNonce(_state);
+        }
+
+        // ES
         // now get the key
         int kidx = _sessionKeys.indexOfKey(tagnum);
         if (kidx >= 0) {