SSL renegotiation is happening during an existing SSL session.

The server is requesting a client certificate and user able to provide it.

The initial SSL session handshake where the client certificate request was made, the proxy able to forward the client certificate to the server.

Issue happens during the SSL renegotiation where it seems that the proxy did not forward the client certificate to the server.

The SSL Proxy controls the (initial)  SSL handshake and plays an active role in pausing, injecting or removing attributes (extensions, etc) and resuming the handshake. Once the handshake completes, the SSL Proxy will move to the next phase which is the application data phase, either hand it over to HTTP proxy or tunnel the traffic. During this phase, the SSL proxy is not involved with any protocol level messages such as Hello Request. As such, If no certificate was requested on the initial handshake then an empty cert will be forwarded if a certificate is requested on the renegotiated handshake.

In order to deal with this a "CCR" (Client Cert Requested during Renegotiation) List is maintained where the proxy able to forward the client certificate to the server during SSL renegotiation handshake.

Please refer to this article for more details on the CCR list mentioned above - https://knowledge.broadcom.com/external/article/166106.