diff --git a/libnetwork/drivers/overlay/encryption.go b/libnetwork/drivers/overlay/encryption.go
index 5b4800716b..fefb5da65c 100644
--- a/libnetwork/drivers/overlay/encryption.go
+++ b/libnetwork/drivers/overlay/encryption.go
@@ -392,10 +392,11 @@ func (d *driver) secMapWalk(f func(string, []*spi) ([]*spi, bool)) error {
 }
 
 func (d *driver) setKeys(keys []*key) error {
-	if d.keys != nil {
-		return types.ForbiddenErrorf("initial keys are already present")
-	}
+	// Accept the encryption keys and clear any stale encryption map
+	d.Lock()
 	d.keys = keys
+	d.secMap = &encrMap{nodes: map[string][]*spi{}}
+	d.Unlock()
 	log.Debugf("Initial encryption keys: %v", d.keys)
 	return nil
 }
@@ -433,10 +434,8 @@ func (d *driver) updateKeys(newKey, primary, pruneKey *key) error {
 	if (newKey != nil && newIdx == -1) ||
 		(primary != nil && priIdx == -1) ||
 		(pruneKey != nil && delIdx == -1) {
-		err := types.BadRequestErrorf("cannot find proper key indices while processing key update:"+
+		return types.BadRequestErrorf("cannot find proper key indices while processing key update:"+
 			"(newIdx,priIdx,delIdx):(%d, %d, %d)", newIdx, priIdx, delIdx)
-		log.Warn(err)
-		return err
 	}
 
 	d.secMapWalk(func(rIPs string, spis []*spi) ([]*spi, bool) {
diff --git a/libnetwork/drivers/overlay/overlay.go b/libnetwork/drivers/overlay/overlay.go
index 59877dd1ac..492f7f4254 100644
--- a/libnetwork/drivers/overlay/overlay.go
+++ b/libnetwork/drivers/overlay/overlay.go
@@ -336,7 +336,9 @@ func (d *driver) DiscoverNew(dType discoverapi.DiscoveryType, data interface{})
 			}
 			keys = append(keys, k)
 		}
-		d.setKeys(keys)
+		if err := d.setKeys(keys); err != nil {
+			logrus.Warn(err)
+		}
 	case discoverapi.EncryptionKeysUpdate:
 		var newKey, delKey, priKey *key
 		encrData, ok := data.(discoverapi.DriverEncryptionUpdate)
@@ -361,7 +363,9 @@ func (d *driver) DiscoverNew(dType discoverapi.DiscoveryType, data interface{})
 				tag:   uint32(encrData.PruneTag),
 			}
 		}
-		d.updateKeys(newKey, priKey, delKey)
+		if err := d.updateKeys(newKey, priKey, delKey); err != nil {
+			logrus.Warn(err)
+		}
 	default:
 	}
 	return nil