Connecting VM to cluster running east-west gateway using NodePort

I am trying to connect VM to Istio cluster. I am following this guide

Cluster has east-west and Ingress Gateways exposed using NodePorts.

NAME                    TYPE        CLUSTER-IP     EXTERNAL-IP                            PORT(S)
                      AGE
istio-eastwestgateway   NodePort    10.246.2.101   10.246.0.115,10.246.0.4,10.246.0.226   15021:31281/TCP,15443:31141/TCP,15012:32605/TCP,15017:31990/TCP
                      2d23h
istio-ingressgateway    NodePort    10.246.2.202   10.246.0.115,10.246.0.4,10.246.0.226   15020:32529/TCP,80:30947/TCP,443:30170/TCP,15029:31971/TCP,15030:31357/TCP,15031:31209/TCP,15032:30929/TCP,31400:31048/TCP,15443:30049/TCP   2d23h

Configuration applied to VM

cluster.env


CANONICAL_REVISION='latest'
CANONICAL_SERVICE='vm'
ISTIO_INBOUND_PORTS='*'
ISTIO_LOCAL_EXCLUDE_PORTS='22,15090,15021,15020'
ISTIO_METAJSON_LABELS='{"app":"vm","service.istio.io/canonical-name":"vm","service.istio.io/canonical-revision":"latest"}'
ISTIO_META_CLUSTER_ID==
ISTIO_META_DNS_AUTO_ALLOCATE='true'
ISTIO_META_DNS_CAPTURE='true'
ISTIO_META_MESH_ID='mesh1'
ISTIO_META_NETWORK='vm-network'
ISTIO_META_WORKLOAD_NAME='vm'
ISTIO_NAMESPACE='vm'
ISTIO_SERVICE='vm.vm'
ISTIO_SERVICE_CIDR='*'
POD_NAMESPACE='vm'
SERVICE_ACCOUNT='vm-service-account'
TRUST_DOMAIN='cluster.local'

mesh.yaml

defaultConfig:
  discoveryAddress: istiod.istio-system.svc:15012
  meshId: mesh1
  proxyMetadata:
    CANONICAL_REVISION: latest
    CANONICAL_SERVICE: vm
    ISTIO_META_CLUSTER_ID: =
    ISTIO_META_DNS_AUTO_ALLOCATE: "true"
    ISTIO_META_DNS_CAPTURE: "true"
    ISTIO_META_MESH_ID: mesh1
    ISTIO_META_NETWORK: vm-network
    ISTIO_META_WORKLOAD_NAME: vm
    ISTIO_METAJSON_LABELS: '{"app":"vm","service.istio.io/canonical-name":"vm","service.istio.io/canonical-revision":"latest"}'
    POD_NAMESPACE: vm
    SERVICE_ACCOUNT: vm-service-account
    TRUST_DOMAIN: cluster.local
  tracing:
    zipkin:
      address: zipkin.istio-system:9411

When I start istio I see following log;


May be I need somehow to configure it to use ports 32605 not 15012 ?
Any help will be greatly appreciated

Update:
I update debug log on cluster side and was able to find this error
2022-09-05T10:24:25.340144Z warn serverca Authentication failed for 10.246.0.33:57382: Authenticator ClientCertAuthenticator at index 0 got error: no verified chain is found. Authenticator KubeJWTAuthenticator at index 1 got error: could not get cluster ='s kube client.