diff --git a/ironic/conductor/utils.py b/ironic/conductor/utils.py
index aeb067a7a1..643bc4d10a 100644
--- a/ironic/conductor/utils.py
+++ b/ironic/conductor/utils.py
@@ -479,9 +479,9 @@ def cleaning_error_handler(task, logmsg, errmsg=None, traceback=False,
         node.del_driver_internal_info('cleaning_reboot')
         node.del_driver_internal_info('cleaning_polling')
         node.del_driver_internal_info('skip_current_clean_step')
-        # We don't need to keep the old agent URL
+        # We don't need to keep the old agent URL, or token
         # as it should change upon the next cleaning attempt.
-        node.del_driver_internal_info('agent_url')
+        wipe_token_and_url(task)
     # For manual cleaning, the target provision state is MANAGEABLE, whereas
     # for automated cleaning, it is AVAILABLE.
     manual_clean = node.target_provision_state == states.MANAGEABLE
diff --git a/ironic/tests/unit/conductor/test_utils.py b/ironic/tests/unit/conductor/test_utils.py
index 7d8e70a1fa..3efc3052be 100644
--- a/ironic/tests/unit/conductor/test_utils.py
+++ b/ironic/tests/unit/conductor/test_utils.py
@@ -1150,6 +1150,9 @@ class ErrorHandlersTestCase(db_base.DbTestCase):
         self.node.set_driver_internal_info('skip_current_clean_step', True)
         self.node.set_driver_internal_info('clean_step_index', 0)
         self.node.set_driver_internal_info('agent_url', 'url')
+        self.node.set_driver_internal_info('agent_secret_token', 'foo')
+        self.node.set_driver_internal_info('agent_secret_token_pregenerated',
+                                           False)
 
         msg = 'error bar'
         last_error = "last error"
@@ -1162,6 +1165,9 @@ class ErrorHandlersTestCase(db_base.DbTestCase):
         self.assertNotIn('cleaning_polling', self.node.driver_internal_info)
         self.assertNotIn('skip_current_clean_step',
                          self.node.driver_internal_info)
+        self.assertNotIn('agent_secret_token', self.node.driver_internal_info)
+        self.assertNotIn('agent_secret_token_pregenerated',
+                         self.node.driver_internal_info)
         self.assertEqual(last_error, self.node.last_error)
         self.assertTrue(self.node.maintenance)
         self.assertEqual(last_error, self.node.maintenance_reason)
diff --git a/releasenotes/notes/wipe-agent-token-upon-cleaning-timeout-c9add514fad1b02c.yaml b/releasenotes/notes/wipe-agent-token-upon-cleaning-timeout-c9add514fad1b02c.yaml
new file mode 100644
index 0000000000..0aa828ccda
--- /dev/null
+++ b/releasenotes/notes/wipe-agent-token-upon-cleaning-timeout-c9add514fad1b02c.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue where an agent token was being orphaned if a baremetal node
+    timed out during cleaning operations, leading to issues where the node
+    would not be able to establish a new token with Ironic upon future
+    in some cases. We now always wipe the token in this case.