diff --git a/README.md b/README.md
index b4f6f8eef7..e05fc86a9e 100644
--- a/README.md
+++ b/README.md
@@ -431,10 +431,11 @@ Type: Boolean as a String
 
 Default: `false`
 
-If `ENABLE_POD_ENI` is set to `true`, in order for the kubelet on the node to talk to pods using the per pod security group feature,
-`DISABLE_TCP_EARLY_DEMUX` should be set to `true`. This will increase the local TCP connection latency slightly, that is why it is not
- on by default. Details on why this is needed can be found in this [#1212 comment](https://github.com/aws/amazon-vpc-cni-k8s/pull/1212#issuecomment-693540666).
-
+If `ENABLE_POD_ENI` is set to `true`, in order for the kubelet on the node to connect via TCP to pods that are using 
+per pod security groups, `DISABLE_TCP_EARLY_DEMUX` should be set to `true`. This will increase the local TCP connection 
+latency slightly, that is why it is not on by default. Details on why this is needed can be found in 
+this [#1212 comment](https://github.com/aws/amazon-vpc-cni-k8s/pull/1212#issuecomment-693540666).
+To use this setting, a Linux kernel version of at least 4.6 is needed on the worker node.
 
 ### ENI tags related to Allocation
 
diff --git a/scripts/init.sh b/scripts/init.sh
index e7f6a2b7bb..df37afaadb 100755
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -34,7 +34,7 @@ cat "/proc/sys/net/ipv4/conf/$PRIMARY_IF/rp_filter"
 if [ "${DISABLE_TCP_EARLY_DEMUX:-false}" == "true" ]; then
     sysctl -w "net.ipv4.tcp_early_demux=0"
 else
-    sysctl -w "net.ipv4.tcp_early_demux=1"
+    sysctl -e -w "net.ipv4.tcp_early_demux=1"
 fi
 
 echo "CNI init container done"