You are having issues passing client certificates across the SSL Visibility appliance and need to understand what is required.
Log records may contain line(s) similar to the following:
localhost ssldata: # Rejecting flow with client certificate: <srcIP> --><dstIP>:443 [some string]. Adding a cut-through rule is necessary to avoid future rejected flows.
There is a limited scenario when SSL Visibility is able to decrypt SSL session(s) with a client-side certificate, which is described below.
The reason for this limitation is that the CertificateVerify SSL handshake message ( containing the hash of all the previous handshake messages exchanged between the client and the server so far) sent after the Certificate message from the client is digitally signed by a private key of the client.
The implication is that the CertificateVerify message cannot be modified, which in turn implies that no part of the SSL handshake can be modified.
SSL Visibility provides two options to successfully handle client-side certificate SSL sessions: