diff --git a/go.mod b/go.mod
index 2dd4911a207..a07ab071892 100644
--- a/go.mod
+++ b/go.mod
@@ -64,7 +64,7 @@ require (
 require (
 	github.com/docker/docker v27.3.1+incompatible
 	github.com/replicatedhq/troubleshoot v0.105.2
-	google.golang.org/grpc v1.66.2
+	google.golang.org/grpc v1.67.1
 	sigs.k8s.io/kubectl-validate v0.0.5-0.20240827210056-ce13d95db263
 )
 
diff --git a/go.sum b/go.sum
index 624b91ab533..6e355f58e24 100644
--- a/go.sum
+++ b/go.sum
@@ -1092,8 +1092,8 @@ google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQ
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.66.2 h1:3QdXkuq3Bkh7w+ywLdLvM56cmGvQHUMZpiCzt6Rqaoo=
-google.golang.org/grpc v1.66.2/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
+google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
diff --git a/internal/gatewayapi/runner/runner.go b/internal/gatewayapi/runner/runner.go
index f9068b68dcf..f8f7b2a6965 100644
--- a/internal/gatewayapi/runner/runner.go
+++ b/internal/gatewayapi/runner/runner.go
@@ -564,6 +564,7 @@ func (r *Runner) tlsConfig() (*tls.Config, error) {
 	// Configure the server to require client certificates
 	return &tls.Config{
 		Certificates: []tls.Certificate{serverCert},
+		NextProtos:   []string{"h2"},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
 		ClientCAs:    caCertPool,
 		MinVersion:   tls.VersionTLS13,
diff --git a/internal/globalratelimit/runner/runner.go b/internal/globalratelimit/runner/runner.go
index ffccb1ab3a3..baaaaacd6b7 100644
--- a/internal/globalratelimit/runner/runner.go
+++ b/internal/globalratelimit/runner/runner.go
@@ -213,6 +213,7 @@ func (r *Runner) tlsConfig(cert, key, ca string) *tls.Config {
 
 		return &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			NextProtos:   []string{"h2"},
 			ClientAuth:   tls.RequireAndVerifyClientCert,
 			ClientCAs:    certPool,
 			MinVersion:   tls.VersionTLS13,
diff --git a/internal/xds/server/runner/runner.go b/internal/xds/server/runner/runner.go
index d8acab8d951..19c4076d458 100644
--- a/internal/xds/server/runner/runner.go
+++ b/internal/xds/server/runner/runner.go
@@ -180,6 +180,7 @@ func (r *Runner) tlsConfig(cert, key, ca string) *tls.Config {
 
 		return &tls.Config{
 			Certificates: []tls.Certificate{cert},
+			NextProtos:   []string{"h2"},
 			ClientAuth:   tls.RequireAndVerifyClientCert,
 			ClientCAs:    certPool,
 			MinVersion:   tls.VersionTLS13,
diff --git a/internal/xds/server/runner/runner_test.go b/internal/xds/server/runner/runner_test.go
index 823d426864c..1a3e9322c68 100644
--- a/internal/xds/server/runner/runner_test.go
+++ b/internal/xds/server/runner/runner_test.go
@@ -157,6 +157,7 @@ func tryConnect(address string, clientCert tls.Certificate, caCertPool *x509.Cer
 		ServerName:   "localhost",
 		MinVersion:   tls.VersionTLS13,
 		Certificates: []tls.Certificate{clientCert},
+		NextProtos:   []string{"h2"},
 		RootCAs:      caCertPool,
 	}
 	conn, err := tls.Dial("tcp", address, clientConfig)