MTLS not working properly on 1.6

Here is our setup.

It’s an azure AKS cluster.
sidecar injection enabled on the namespace level.
Peer authentication created for the namespace with PERMISSIVE mode.
A gateway, virtual service, and destination rule are created for allowing the primary to the service.

Is there anything else needed for MTLS to work properly? I could see a lot of requests with connection_security_policy as none or unknown though all the pods have sidecars.

in some workloads, if I do a normal curl to the service URL, it works and connection_secruity_policy is shown as mtls but when I do a curl with -H ‘Host:myhostname’ it still works but its not MTLS then.

Need help with this.

I see very few documentation for 1.6.x and there is lot of confusion on all. Can we have a better steps or requirements on how to handle MTLS on 1.6.x?