diff --git a/src/cli/cli_tcp.cpp b/src/cli/cli_tcp.cpp
index 6d3158d1cf40..777d89ca8272 100644
--- a/src/cli/cli_tcp.cpp
+++ b/src/cli/cli_tcp.cpp
@@ -143,16 +143,12 @@ template <> otError TcpExample::Process<Cmd("init")>(Arg aArgs[])
             mUseCircularSendBuffer = true;
             mUseTls                = true;
 
-            // mbedtls_debug_set_threshold(0);
-
-            otPlatCryptoRandomInit();
             mbedtls_x509_crt_init(&mSrvCert);
             mbedtls_pk_init(&mPKey);
 
             mbedtls_ssl_init(&mSslContext);
             mbedtls_ssl_config_init(&mSslConfig);
             mbedtls_ssl_conf_rng(&mSslConfig, Crypto::MbedTls::CryptoSecurePrng, nullptr);
-            // mbedtls_ssl_conf_dbg(&mSslConfig, MbedTlsDebugOutput, this);
             mbedtls_ssl_conf_authmode(&mSslConfig, MBEDTLS_SSL_VERIFY_NONE);
             mbedtls_ssl_conf_ciphersuites(&mSslConfig, sCipherSuites);
 
@@ -261,6 +257,20 @@ template <> otError TcpExample::Process<Cmd("init")>(Arg aArgs[])
     mInitialized = true;
 
 exit:
+#if OPENTHREAD_CONFIG_TLS_ENABLE
+    if ((error != OT_ERROR_NONE) && mUseTls)
+    {
+        mbedtls_ssl_config_free(&mSslConfig);
+        mbedtls_ssl_free(&mSslContext);
+
+        mbedtls_pk_free(&mPKey);
+        mbedtls_x509_crt_free(&mSrvCert);
+
+        otTcpCircularSendBufferForceDiscardAll(&mSendBuffer);
+        OT_UNUSED_VARIABLE(otTcpCircularSendBufferDeinitialize(&mSendBuffer));
+    }
+#endif // OPENTHREAD_CONFIG_TLS_ENABLE
+
     return error;
 }
 
@@ -286,7 +296,6 @@ template <> otError TcpExample::Process<Cmd("deinit")>(Arg aArgs[])
 #if OPENTHREAD_CONFIG_TLS_ENABLE
     if (mUseTls)
     {
-        otPlatCryptoRandomDeinit();
         mbedtls_ssl_config_free(&mSslConfig);
         mbedtls_ssl_free(&mSslContext);