diff --git a/src/suricata.c b/src/suricata.c
index 96a1806c30..987f517c8e 100644
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -249,6 +249,11 @@ Packet *TunnelPktSetup(ThreadVars *t, DecodeThreadVars *dtv, Packet *parent, uin
     /* set tunnel flags */
     SET_TUNNEL_PKT(p);
     TUNNEL_INCR_PKT_TPR(p);
+
+    /* disable payload (not packet) inspection on the parent, as the payload
+     * is the packet we will now run through the system separately. We do
+     * check it against the ip/port/other header checks though */
+    DecodeSetNoPayloadInspectionFlag(parent);
     return p;
 }