Please note that services without mTLS support or mismatched mTLS configurations can lead to connection resets.

It is important to confirm that port 8080 does not receive any external mTLS traffic in addition to confirming external mTLS connection via the ingress port 8443.Refer to this documentation for more information on this.

Make sure that mTLS is enabled in Istio by inspecting PeerAuthentication and DestinationRule configurations. By changing from STRICT to PERMISSIVE, the sidecar will be configured to accept both mTLS and non-mTLS traffic as mentioned in this documentation which will be helpful to fix the issue.

Additionally check if Istio proxy itself is having issues, it may be due to resetting connections. Please check the status of your Istio proxies using the below command,

Istiocl proxy-status

Refer to this documentation which tells how mutual TLS works in Istio and how it is enforced in strict mode.