Yes Cisco ASA have a capability to check packets and drop some packets.
Do you have your tunnel group configured for Certificate Authentication?
It seems you enabled the interface Outside to ask for Certificates but probably your Tunnel Group Authentication Policy is not configured to authenticate by Certificate or both Methods (AAA and Certificate)