diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 130fe5048c0..d772e2c01f0 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -1600,15 +1600,11 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
 	uint8_t *outhdr = NULL;
 	const uint8_t *inhdr = NULL;
 	uint8_t *tf = NULL;
-	size_t tf_len = 0;
 	uint8_t *hdr = NULL;
 	uint8_t *body = NULL;
 	uint8_t *dyn = NULL;
 	uint32_t flags = 0;
-	uint64_t session_id = 0;
 	uint64_t message_id = 0;
-	uint64_t nonce_high = 0;
-	uint64_t nonce_low = 0;
 	uint64_t async_id = 0;
 	NTSTATUS status;
 	bool ok;
@@ -1620,14 +1616,13 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
 	outhdr = SMBD_SMB2_OUT_HDR_PTR(req);
 	flags = IVAL(outhdr, SMB2_HDR_FLAGS);
 	message_id = BVAL(outhdr, SMB2_HDR_MESSAGE_ID);
-	session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
 
 	async_id = message_id; /* keep it simple for now... */
 
 	SIVAL(outhdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC);
 	SBVAL(outhdr, SMB2_HDR_ASYNC_ID, async_id);
 
-	DEBUG(10,("smbd_smb2_request_pending_queue: opcode[%s] mid %llu "
+	DEBUG(10,("smbd_smb2_request_pending_timer: opcode[%s] mid %llu "
 		"going async\n",
 		smb2_opcode_name(SVAL(inhdr, SMB2_HDR_OPCODE)),
 		(unsigned long long)async_id ));
@@ -1646,13 +1641,15 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
 	}
 
 	tf = state->buf + NBT_HDR_SIZE;
-	tf_len = SMB2_TF_HDR_SIZE;
-
 	hdr = tf + SMB2_TF_HDR_SIZE;
 	body = hdr + SMB2_HDR_BODY;
 	dyn = body + 8;
 
 	if (req->do_encryption) {
+		uint64_t nonce_high = 0;
+		uint64_t nonce_low = 0;
+		uint64_t session_id = req->session->global->session_wire_id;
+
 		status = smb2_get_new_nonce(req->session,
 					    &nonce_high,
 					    &nonce_low);
@@ -1661,13 +1658,12 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
 							 nt_errstr(status));
 			return;
 		}
+		SIVAL(tf, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
+		SBVAL(tf, SMB2_TF_NONCE+0, nonce_low);
+		SBVAL(tf, SMB2_TF_NONCE+8, nonce_high);
+		SBVAL(tf, SMB2_TF_SESSION_ID, session_id);
 	}
 
-	SIVAL(tf, SMB2_TF_PROTOCOL_ID, SMB2_TF_MAGIC);
-	SBVAL(tf, SMB2_TF_NONCE+0, nonce_low);
-	SBVAL(tf, SMB2_TF_NONCE+8, nonce_high);
-	SBVAL(tf, SMB2_TF_SESSION_ID, session_id);
-
 	SIVAL(hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
 	SSVAL(hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
 	SSVAL(hdr, SMB2_HDR_EPOCH, 0);
@@ -1696,7 +1692,8 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
 
 	if (req->do_encryption) {
 		state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_base   = tf;
-		state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_len    = tf_len;
+		state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_len    =
+							SMB2_TF_HDR_SIZE;
 	} else {
 		state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_base   = NULL;
 		state->vector[1+SMBD_SMB2_TF_IOV_OFS].iov_len    = 0;