Intermittent connection reset error on external SSL connections

We are seeing intermittent (max 3 per hour) “Connection reset” error from Java code with following stack trace.
java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:210) ~[?:1.8.0_252]
at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[?:1.8.0_252]
at sun.security.ssl.InputRecord.readFully(InputRecord.java:465) ~[?:1.8.0_252]
at sun.security.ssl.InputRecord.read(InputRecord.java:503) ~[?:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:990) ~[?:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388) ~[?:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1416) ~[?:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1400) ~[?:1.8.0_252]

Curl command running in same container is also getting same error.
* Connected to host_masked (ip_masked) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer

This host is open to public on internet.
Istio version is 1.5.8.
There is no egress gateway.
Istio treats these URLs as PassthroughCluster as seen from logs.

We don’t get any error when we run the same script on same k8s worker node, or on a standalone EC2 node.

As per AWS support there is no issue with NAT gateway or the ELB.

Has anybody seen a similar behavior?

Thanks!