The Security Gateway cannot get CRL (certificate revocation list). By default gateway caches CRL for 24 hours. After that a new CRL needs to be fetched from the Security Management server.
CRL fetch flow is as follows:
- Gateway checks for the CRL cache. If CRL is found from cache its used.
- If CRL is not in cache, gateway tries to fetch it from all the Management servers listed in $FWDIR/conf/masters.
There is no consideration of who is primary or secondary in $FWDIR/conf/masters file. Gateway tries to fetch the CRL from the first Security Management server that responds. By default only the IP address of the primary Security Management server is written in that file.
CRL fetching fails because the gateway tries to fetch CRL from the primary Security Management server that is down.