diff --git a/src/internal.c b/src/internal.c
index c44a87001..9ee2ca0f6 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -4497,12 +4497,18 @@ retry:
                 return -1;
 
             case WOLFSSL_CBIO_ERR_TIMEOUT:
+                if (ssl->options.dtls) {
 #ifdef WOLFSSL_DTLS
-                if (DtlsPoolTimeout(ssl) == 0 && DtlsPoolSend(ssl) == 0)
-                    goto retry;
-                else
+                    if ((!ssl->options.handShakeDone ||
+                               ssl->options.dtlsHsRetain) &&
+                        DtlsPoolTimeout(ssl) == 0 &&
+                        DtlsPoolSend(ssl) == 0) {
+
+                        goto retry;
+                    }
 #endif
-                    return -1;
+                }
+                return -1;
 
             default:
                 return recvd;
@@ -4744,6 +4750,11 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
     }
     else {
 #ifdef WOLFSSL_DTLS
+#ifdef HAVE_FUZZER
+        if (ssl->fuzzerCb)
+            ssl->fuzzerCb(ssl, input + *inOutIdx, DTLS_RECORD_HEADER_SZ,
+                           FUZZ_HEAD, ssl->fuzzerCtx);
+#endif
         /* type and version in same sport */
         XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ);
         *inOutIdx += ENUM_LEN + VERSION_SZ;
@@ -4753,12 +4764,6 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
         *inOutIdx += 4;  /* advance past rest of seq */
         ato16(input + *inOutIdx, size);
         *inOutIdx += LENGTH_SZ;
-#ifdef HAVE_FUZZER
-        if (ssl->fuzzerCb)
-            ssl->fuzzerCb(ssl, input + *inOutIdx - LENGTH_SZ - 8 - ENUM_LEN -
-                           VERSION_SZ, ENUM_LEN + VERSION_SZ + 8 + LENGTH_SZ,
-                           FUZZ_HEAD, ssl->fuzzerCtx);
-#endif
 #endif
     }
 
@@ -7335,7 +7340,7 @@ static INLINE int DtlsCheckWindow(DtlsState* state)
         next = state->nextSeq;
         window = state->window;
     }
-    else if (state->curEpoch < state->nextEpoch) {
+    else if (state->curEpoch == state->nextEpoch - 1) {
         next = state->prevSeq;
         window = state->prevWindow;
     }
@@ -7351,6 +7356,9 @@ static INLINE int DtlsCheckWindow(DtlsState* state)
     else if ((cur < next) && (window & ((DtlsSeq)1 << (next - cur - 1)))) {
         return 0;
     }
+    else if (cur > next + DTLS_SEQ_BITS) {
+        return 0;
+    }
 
     return 1;
 }
@@ -8848,11 +8856,14 @@ int ProcessReply(WOLFSSL* ssl)
             if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
                 WOLFSSL_MSG("Silently dropping out of order DTLS message");
                 ssl->options.processReply = doProcessInit;
-                ssl->buffers.inputBuffer.idx += ssl->curSize;
+                ssl->buffers.inputBuffer.length = 0;
+                ssl->buffers.inputBuffer.idx = 0;
 
-                ret = DtlsPoolSend(ssl);
-                if (ret != 0)
-                    return ret;
+                if (ssl->options.dtlsHsRetain) {
+                    ret = DtlsPoolSend(ssl);
+                    if (ret != 0)
+                        return ret;
+                }
 
                 continue;
             }
@@ -8990,8 +9001,8 @@ int ProcessReply(WOLFSSL* ssl)
                         if (!ssl->options.dtls) {
                             return ret;
                         }
-#ifdef WOLFSSL_DTLS
                         else {
+#ifdef WOLFSSL_DTLS
                         /* Check for duplicate CCS message in DTLS mode.
                          * DTLS allows for duplicate messages, and it should be
                          * skipped. Also skip if out of order. */
@@ -9009,8 +9020,8 @@ int ProcessReply(WOLFSSL* ssl)
                             }
                             ssl->buffers.inputBuffer.idx++;
                             break;
-                        }
 #endif /* WOLFSSL_DTLS */
+                        }
                     }
 
 #ifdef HAVE_SESSION_TICKET