diff --git a/datacenter/ucp/2.2/guides/admin/install/system-requirements.md b/datacenter/ucp/2.2/guides/admin/install/system-requirements.md
index 61845e089f..07cec9550c 100644
--- a/datacenter/ucp/2.2/guides/admin/install/system-requirements.md
+++ b/datacenter/ucp/2.2/guides/admin/install/system-requirements.md
@@ -51,6 +51,9 @@ When installing UCP on a host, make sure the following ports are open:
 | managers          |    in     | TCP 12386               | Port for the authentication worker                                                |
 | managers          |    in     | TCP 12387               | Port for the metrics service                                                      |
 
+For overlay networks with encryption to work, you need to ensure that
+IP protocol 50 (ESP) traffic is allowed.
+
 Also, make sure the networks you're using allow the UCP components enough time
 to communicate before they time out.