I had the same problem and I found solution…
you need to create PeerAuthentication, because Istio with version 1.5.1 if you enable mTLS into your gateway, Istio close all decryption traffic.
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
namespace: "istio-system"
spec:
mtls:
mode: PERMISSIVE
You can check your service though cli “istioctl”
istioctl authn tls-check <pod>
if there is “ISTIO_MUTUAL” you need add PeerAuthentication for connection between service with sidecar and service without sidecar.
Also, you can create special rule only specific port…
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "example"
spec:
selector:
matchLabels:
app: example
mtls:
mode: STRICT
portLevelMtls:
1337:
mode: DISABLE