diff --git a/agent/http.go b/agent/http.go
index ff7764f0d1..24f0ed0bb8 100644
--- a/agent/http.go
+++ b/agent/http.go
@@ -21,6 +21,8 @@ import (
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/mitchellh/mapstructure"
 	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/cache"
@@ -374,6 +376,9 @@ func (s *HTTPHandlers) wrap(handler endpoint, methods []string) http.HandlerFunc
 			if acl.IsErrPermissionDenied(err) || acl.IsErrNotFound(err) {
 				return true
 			}
+			if e, ok := status.FromError(err); ok && e.Code() == codes.PermissionDenied {
+				return true
+			}
 			return false
 		}
 
diff --git a/agent/rpc/peering/service.go b/agent/rpc/peering/service.go
index 8a945dc64b..b6a8e6cfec 100644
--- a/agent/rpc/peering/service.go
+++ b/agent/rpc/peering/service.go
@@ -556,7 +556,7 @@ func (s *Server) exchangeSecret(ctx context.Context, peering *pbpeering.Peering,
 		// If we got a permission denied error that means out establishment secret is invalid, so we do not retry.
 		grpcErr, ok := grpcstatus.FromError(err)
 		if ok && grpcErr.Code() == codes.PermissionDenied {
-			return nil, fmt.Errorf("a new peering token must be generated: %w", grpcErr.Err())
+			return nil, grpcstatus.Errorf(codes.PermissionDenied, "a new peering token must be generated: %s", grpcErr.Message())
 		}
 		if err != nil {
 			dialErrors = multierror.Append(dialErrors, fmt.Errorf("failed to exchange peering secret through address %q: %w", addr, err))
diff --git a/agent/rpc/peering/service_test.go b/agent/rpc/peering/service_test.go
index 07a820fe45..9d5ea602fc 100644
--- a/agent/rpc/peering/service_test.go
+++ b/agent/rpc/peering/service_test.go
@@ -510,6 +510,9 @@ func TestPeeringService_Establish_ThroughMeshGateway(t *testing.T) {
 			PeerName:     "my-peer-acceptor",
 			PeeringToken: peeringToken,
 		})
+		grpcErr, ok := grpcstatus.FromError(err)
+		require.True(t, ok)
+		require.Equal(t, codes.PermissionDenied, grpcErr.Code())
 		testutil.RequireErrorContains(t, err, "a new peering token must be generated")
 	})