Client Certificate is not passing through back end hosts

Never going to work. This is a fundamental limitation (and security feature) of SSL/TLS. Upon presenting its certificate, a client also presents information signed with its private key. Therefore any device that terminates (and optionally re-encrypts) between the two end points cannot send the client's certificate because it would never have access to the client's private key. Your options are to either

 

a) not handle SSL/TLS at the proxy

 

b) request the client cert at the proxy and find some other information to send to the server

 

is this not a use case for Proxy SSL feature?

 

It is indeed, but a) you didn't mention ProxySSL in your original question, and b) ProxySSL comes with some pretty significant caveats.

 

As with any SSL "man-in-the-middle"-type solution, ProxySSL requires knowledge of the server's private key and an RSA-based key exchange between the client and server. This last requirement is proving harder to achieve as the industry moves away from non-perfect forward secret cryptography.

 

So just to clarify, your fastL4 isn't doing any SSL, so you're just passing SSL directly between the client and backend server, and of course client cert auth should work. Are you load balancing between multiple backend servers, and if so how are you maintaining persistence?

 

You simply CANNOT pass the client's certificate to the backend server if you terminate the SSL at the proxy, for the reasons I described before. ProxySSL can work in this regard, but you must force the client and backend server to only negotiate with non-PFS RSA, which is becoming harder to do as user-agents are starting to completely deprioritize (and ultimately remove) non-PFS ciphers.