diff --git a/src/transport/SecureMessageCodec.cpp b/src/transport/SecureMessageCodec.cpp
index 9c08d535ff57a3..ecf965e063f4db 100644
--- a/src/transport/SecureMessageCodec.cpp
+++ b/src/transport/SecureMessageCodec.cpp
@@ -37,11 +37,11 @@ using System::PacketBufferHandle;
 namespace SecureMessageCodec {
 
 CHIP_ERROR Encrypt(const CryptoContext & context, CryptoContext::ConstNonceView nonce, PayloadHeader & payloadHeader,
-                   PacketHeader & packetHeader, System::PacketBufferHandle & msgBuf)
+                   PacketHeader & packetHeader, System::PacketBufferHandle & msgBuf, size_t inputMaxLength)
 {
     VerifyOrReturnError(!msgBuf.IsNull(), CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(!msgBuf->HasChainedBuffer(), CHIP_ERROR_INVALID_MESSAGE_LENGTH);
-    VerifyOrReturnError(msgBuf->TotalLength() <= kMaxAppMessageLen, CHIP_ERROR_MESSAGE_TOO_LONG);
+    VerifyOrReturnError(msgBuf->TotalLength() <= inputMaxLength, CHIP_ERROR_MESSAGE_TOO_LONG);
 
     static_assert(std::is_same<decltype(msgBuf->TotalLength()), uint16_t>::value,
                   "Addition to generate payloadLength might overflow");
diff --git a/src/transport/SecureMessageCodec.h b/src/transport/SecureMessageCodec.h
index f074e792b59d21..315a29d711c85d 100644
--- a/src/transport/SecureMessageCodec.h
+++ b/src/transport/SecureMessageCodec.h
@@ -47,10 +47,11 @@ namespace SecureMessageCodec {
  * @param msgBuf        The message buffer that contains the unencrypted message. If
  *                      the operation is successful, this buffer will be mutated to contain
  *                      the encrypted message.
+ * @param inputMaxLength Max size for input
  * @return A CHIP_ERROR value consistent with the result of the encryption operation
  */
 CHIP_ERROR Encrypt(const CryptoContext & context, CryptoContext::ConstNonceView nonce, PayloadHeader & payloadHeader,
-                   PacketHeader & packetHeader, System::PacketBufferHandle & msgBuf);
+                   PacketHeader & packetHeader, System::PacketBufferHandle & msgBuf, size_t inputMaxLength = kMaxAppMessageLen);
 
 /**
  * @brief
diff --git a/src/transport/SessionManager.cpp b/src/transport/SessionManager.cpp
index 085fda948629c7..5431dc52f60d05 100644
--- a/src/transport/SessionManager.cpp
+++ b/src/transport/SessionManager.cpp
@@ -201,7 +201,8 @@ CHIP_ERROR SessionManager::PrepareMessage(const SessionHandle & sessionHandle, P
         packetHeader.SetSessionId(keyContext->GetKeyHash());
         CryptoContext::NonceStorage nonce;
         CryptoContext::BuildNonce(nonce, packetHeader.GetSecurityFlags(), packetHeader.GetMessageCounter(), sourceNodeId);
-        CHIP_ERROR err = SecureMessageCodec::Encrypt(CryptoContext(keyContext), nonce, payloadHeader, packetHeader, message);
+        CHIP_ERROR err =
+            SecureMessageCodec::Encrypt(CryptoContext(keyContext), nonce, payloadHeader, packetHeader, message, kMaxAppMessageLen);
         keyContext->Release();
         ReturnErrorOnFailure(err);
 
@@ -237,7 +238,17 @@ CHIP_ERROR SessionManager::PrepareMessage(const SessionHandle & sessionHandle, P
         NodeId sourceNodeId = session->GetLocalScopedNodeId().GetNodeId();
         CryptoContext::BuildNonce(nonce, packetHeader.GetSecurityFlags(), messageCounter, sourceNodeId);
 
-        ReturnErrorOnFailure(SecureMessageCodec::Encrypt(session->GetCryptoContext(), nonce, payloadHeader, packetHeader, message));
+        if (session->GetPeerAddress().GetTransportType() == Transport::Type::kTcp)
+        {
+            // support large payloads
+            ReturnErrorOnFailure(SecureMessageCodec::Encrypt(session->GetCryptoContext(), nonce, payloadHeader, packetHeader,
+                                                             message, kLargePayloadMaxMessageSizeBytes));
+        }
+        else
+        {
+            ReturnErrorOnFailure(SecureMessageCodec::Encrypt(session->GetCryptoContext(), nonce, payloadHeader, packetHeader,
+                                                             message, kMaxAppMessageLen));
+        }
 
 #if CHIP_PROGRESS_LOGGING
         destination = session->GetPeerNodeId();
diff --git a/src/transport/raw/MessageHeader.h b/src/transport/raw/MessageHeader.h
index 7c637fa782d957..58a62ccb7a6e27 100644
--- a/src/transport/raw/MessageHeader.h
+++ b/src/transport/raw/MessageHeader.h
@@ -71,6 +71,8 @@ static_assert(detail::kMaxApplicationPayloadAndMICSizeBytes > kMaxTagLen, "Need
 // tag we will not have source/destination node IDs, but above we are including
 // those in the header sizes.
 static constexpr size_t kMaxAppMessageLen = detail::kMaxApplicationPayloadAndMICSizeBytes - kMaxTagLen;
+// large payload limit
+static constexpr size_t kLargePayloadMaxMessageSizeBytes = 128000;
 
 static constexpr uint16_t kMsgUnicastSessionIdUnsecured = 0x0000;