Before R80.20, VPN connections could be migrated between acceleration module and Firewall-1 instances due to synchronous communication between those modules.
Since R80.20, fwaccel off does not stop the SecureXL device, and the communication between SecureXL and Firewall-1 is now asynchronous. All connections that were accelerated will continue to be handled by PPAK.
Furthermore, when new decryption/encryption keys are generated, the decision whether to accelerate the tunnel or not depends on whether there are accelerated connections associated with the tunnel.
As a result, to disable VPN tunnel acceleration, all outstanding related connections should be terminated.
This behavior prevents disabling acceleration of tunnels as long as accelerated connections are associated with those tunnels.
VPN acceleration is mandatory and should be disabled only for debugging purpose.