diff --git a/src/analyzer/protocol/quic/QUIC.spicy b/src/analyzer/protocol/quic/QUIC.spicy
index 3954a80977..0198ba9b3b 100644
--- a/src/analyzer/protocol/quic/QUIC.spicy
+++ b/src/analyzer/protocol/quic/QUIC.spicy
@@ -567,23 +567,24 @@ type Packet = unit(from_client: bool, context: ConnectionIDInfo&) {
       context.server_cid_len = self.long_header.dest_conn_id_len;
       context.client_cid_len = self.long_header.src_conn_id_len;
 
+      # This is the first INITIAL packet we attempt to decrypt and it is
+      # coming from the client. Use its destination connection ID for
+      # decryption purposes.
+      if ( |context.initial_destination_conn_id| == 0 ) {
+        context.initial_destination_conn_id = self.long_header.dest_conn_id;
+      }
+
       # This means that here, we can try to decrypt the initial packet!
       # All data is accessible via the `long_header` unit
       self.decrypted_data = decrypt_crypto_payload(
         self.long_header.version,
         self.packet_data,
-        self.long_header.dest_conn_id,
+        context.initial_destination_conn_id,
         self.long_header.encrypted_offset,
         self.long_header.payload_length,
         from_client
       );
 
-      # Assuming that the client set up the connection, this can be considered the first
-      # received Initial from the client. So disable change of ConnectionID's afterwards
-      if ( |context.initial_destination_conn_id| == 0 ) {
-        context.initial_destination_conn_id = self.long_header.dest_conn_id;
-      }
-
     } else {
       context.server_cid_len = self.long_header.src_conn_id_len;
       context.client_cid_len = self.long_header.dest_conn_id_len;
diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/conn.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/conn.log.cut
new file mode 100644
index 0000000000..46d72b1541
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/conn.log.cut
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	history	service
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	Dd	quic,ssl
diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/quic.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/quic.log.cut
new file mode 100644
index 0000000000..6199e7117b
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/quic.log.cut
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	server_name	history
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	www.google.de	ZZZIiIIIISiIIIiiiiiishIIHH
diff --git a/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/ssl.log.cut b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/ssl.log.cut
new file mode 100644
index 0000000000..e72550284a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.quic.decrypt-fail-google-de-51833/ssl.log.cut
@@ -0,0 +1,3 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+ts	uid	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	TLSv13	TLS_AES_128_GCM_SHA256	X25519MLKEM768	www.google.de	T	-	-	F	Cs
diff --git a/testing/btest/Traces/quic/quic-decrypt-fail-google-de-51833.pcap b/testing/btest/Traces/quic/quic-decrypt-fail-google-de-51833.pcap
new file mode 100644
index 0000000000..cc7d2fec1a
Binary files /dev/null and b/testing/btest/Traces/quic/quic-decrypt-fail-google-de-51833.pcap differ
diff --git a/testing/btest/scripts/base/protocols/quic/decrypt-fail-google-de-51833.zeek b/testing/btest/scripts/base/protocols/quic/decrypt-fail-google-de-51833.zeek
new file mode 100644
index 0000000000..23c9cdaf0e
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/quic/decrypt-fail-google-de-51833.zeek
@@ -0,0 +1,12 @@
+# @TEST-DOC: PCAP for which decryption failed due to not using the initial destination connection ID consistently.
+
+# @TEST-REQUIRES: ${SCRIPTS}/have-spicy
+# @TEST-EXEC: zeek -Cr $TRACES/quic/quic-decrypt-fail-google-de-51833.pcap base/protocols/quic
+# @TEST-EXEC: test ! -f analyzer.log
+# @TEST-EXEC: test ! -f dpd.log
+# @TEST-EXEC: zeek-cut -m ts uid history service < conn.log > conn.log.cut
+# @TEST-EXEC: btest-diff conn.log.cut
+# @TEST-EXEC: zeek-cut -m ts uid server_name history < quic.log > quic.log.cut
+# @TEST-EXEC: btest-diff quic.log.cut
+# @TEST-EXEC: zeek-cut -m ts uid version cipher curve server_name resumed last_alert next_protocol established ssl_history < ssl.log > ssl.log.cut
+# @TEST-EXEC: btest-diff ssl.log.cut