diff --git a/CHANGES b/CHANGES
index 6a4f4ddcd6..96957be818 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5765.	[bug]		Fix a bug in DoH implementation making 'dig'
+			abort when ALPN negotiation fails. [GL #3022]
+
 5764.	[bug]		dns_sdlz_putrr failed to process some valid resource
 			records. [GL #3021]
 
diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh
index 77acac562d..ee25102f2a 100644
--- a/bin/tests/system/doth/tests.sh
+++ b/bin/tests/system/doth/tests.sh
@@ -116,6 +116,17 @@ grep "$msg_xfrs_not_allowed" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+# Let's try to issue an HTTP/2 query over TLS port to check if dig
+# will detect ALPN token negotiation problem.
+n=$((n + 1))
+echo_i "checking DoH query when ALPN is expected to fail (dot, failure expected) ($n)"
+ret=0
+# shellcheck disable=SC2086
+"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA > dig.out.test$n
+grep "ALPN for HTTP/2 failed." dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 n=$((n + 1))
 echo_i "checking DoH query (POST) ($n)"
 ret=0
diff --git a/lib/isc/netmgr/http.c b/lib/isc/netmgr/http.c
index 776f0e2b77..466ae5497a 100644
--- a/lib/isc/netmgr/http.c
+++ b/lib/isc/netmgr/http.c
@@ -1379,7 +1379,6 @@ transport_connect_cb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
 			 * client will fail if HTTP/2 cannot be
 			 * negotiated via ALPN.
 			 */
-			isc__nmsocket_prep_destroy(transp_sock);
 			result = ISC_R_HTTP2ALPNERROR;
 			goto error;
 		}
diff --git a/lib/isc/netmgr/tlsstream.c b/lib/isc/netmgr/tlsstream.c
index f5290890cd..08725a4802 100644
--- a/lib/isc/netmgr/tlsstream.c
+++ b/lib/isc/netmgr/tlsstream.c
@@ -367,7 +367,9 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data,
 					  received_data->length, &len);
 			if (rv <= 0 || len != received_data->length) {
 				result = ISC_R_TLSERROR;
+#if defined(NETMGR_TRACE) && defined(NETMGR_TRACE_VERBOSE)
 				saved_errno = errno;
+#endif
 				goto error;
 			}
 
@@ -506,6 +508,7 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data,
 	}
 
 error:
+#if defined(NETMGR_TRACE) && defined(NETMGR_TRACE_VERBOSE)
 	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
 		      ISC_LOG_NOTICE,
 		      "SSL error in BIO: %d %s (errno: %d). Arguments: "
@@ -513,6 +516,7 @@ error:
 		      "send_data: %p, finish: %s",
 		      tls_status, isc_result_totext(result), saved_errno,
 		      received_data, send_data, finish ? "true" : "false");
+#endif
 	tls_failed_read_cb(sock, result);
 }