Before R80.20, VPN connections could be migrated between acceleration module and Firewall-1 instances due to synchronous communication between those modules.
Since R80.20, fwaccel off does not stop the SecureXL device, and the communication between SecureXL and firewall-1 is now asynchronous. All connections that were accelerated will continue to be handled by PPAK.
Furthermore, when new decryption/encryption keys are generated, the decision whether to accelerate the tunnel or not depends on whether there are accelerated connections associated with the tunnel.
As a result, to disable VPN tunnel acceleration all outstanding related connections should be terminated.
This behavior prevents disabling acceleration of tunnels as long as accelerated connections are associated with those tunnels.