Generally each end of the connection should be using its own certificate and key (because effectively your setup is now kind of "PSK", pre-shared key, as you have shared the certificate keys between your hosts...). But I don't see any mention in Zabbix documentation if your setup is specifically disallowed or not. You can try with a proxy-specific certificate to be sure about that.

I'd also just try with the simple TLS-PSK setup first. (I still don't understand though why the Zabbix server just reset the connection right away, according to your tcpdump.)

Btw, you linked the 3.4 version of manual, and you said that you have version 4.0.x components, just a note about that.

Markku

Thank you so much for your help.
we found out that we had to this proxy another firewall open for 10050 and 10051 but has blocked TLS \ SSL to 10051 as the network guy says
"it looked fishy to the firewall that ssl 443 trying to go through 10051"

PROBLEM SLOVED!
thank you!!

Nice to hear that! So the firewall guys lied to you in the first time when they said the rules were identical between the proxies and that the traffic went through identically :-)

That explains the Reset very well (= the reset was not sent by Zabbix server but the firewall).

Markku