diff --git a/session.go b/session.go
index 47044b21..f95065d4 100644
--- a/session.go
+++ b/session.go
@@ -200,7 +200,7 @@ func (s *Session) run() {
 		if err := s.sendPacket(); err != nil {
 			s.Close(err)
 		}
-		if time.Now().Sub(s.lastNetworkActivityTime) >= s.connectionParametersManager.GetIdleConnectionStateLifetime() {
+		if time.Now().Sub(s.lastNetworkActivityTime) >= s.idleTimeout() {
 			s.Close(qerr.Error(qerr.NetworkIdleTimeout, "No recent network activity."))
 		}
 		if !s.cryptoSetup.HandshakeComplete() && time.Now().Sub(s.sessionCreationTime) >= protocol.MaxTimeForCryptoHandshake {
@@ -211,7 +211,7 @@ func (s *Session) run() {
 }
 
 func (s *Session) maybeResetTimer() {
-	nextDeadline := s.lastNetworkActivityTime.Add(s.connectionParametersManager.GetIdleConnectionStateLifetime())
+	nextDeadline := s.lastNetworkActivityTime.Add(s.idleTimeout())
 
 	if !s.delayedAckOriginTime.IsZero() {
 		nextDeadline = utils.MinTime(nextDeadline, s.delayedAckOriginTime.Add(protocol.AckSendDelay))
@@ -240,6 +240,13 @@ func (s *Session) maybeResetTimer() {
 	s.currentDeadline = nextDeadline
 }
 
+func (s *Session) idleTimeout() time.Duration {
+	if s.cryptoSetup.HandshakeComplete() {
+		return s.connectionParametersManager.GetIdleConnectionStateLifetime()
+	}
+	return protocol.InitialIdleTimeout
+}
+
 func (s *Session) handlePacketImpl(p *receivedPacket) error {
 	if p.rcvTime.IsZero() {
 		// To simplify testing
diff --git a/session_test.go b/session_test.go
index 58a78b74..4aa78a0b 100644
--- a/session_test.go
+++ b/session_test.go
@@ -762,6 +762,30 @@ var _ = Describe("Session", func() {
 			Expect(conn.written[0]).To(ContainSubstring("Crypto handshake did not complete in time."))
 			close(done)
 		})
+
+		It("does not use ICSL before handshake", func(done Done) {
+			session.lastNetworkActivityTime = time.Now().Add(-time.Minute)
+			session.connectionParametersManager.SetFromMap(map[handshake.Tag][]byte{
+				handshake.TagICSL: {0xff, 0xff, 0xff, 0xff},
+			})
+			session.packer.connectionParametersManager = session.connectionParametersManager
+			session.run() // Would normally not return
+			Expect(conn.written[0]).To(ContainSubstring("No recent network activity."))
+			close(done)
+		})
+
+		It("uses ICSL after handshake", func(done Done) {
+			// session.lastNetworkActivityTime = time.Now().Add(-time.Minute)
+			*(*bool)(unsafe.Pointer(reflect.ValueOf(session.cryptoSetup).Elem().FieldByName("receivedForwardSecurePacket").UnsafeAddr())) = true
+			*(*crypto.AEAD)(unsafe.Pointer(reflect.ValueOf(session.cryptoSetup).Elem().FieldByName("forwardSecureAEAD").UnsafeAddr())) = &crypto.NullAEAD{}
+			session.connectionParametersManager.SetFromMap(map[handshake.Tag][]byte{
+				handshake.TagICSL: {0, 0, 0, 0},
+			})
+			session.packer.connectionParametersManager = session.connectionParametersManager
+			session.run() // Would normally not return
+			Expect(conn.written[0]).To(ContainSubstring("No recent network activity."))
+			close(done)
+		})
 	})
 
 	It("errors when the SentPacketHandler has too many packets tracked", func() {