Problem:This issue occurs when working with end point certificates, using an external CA, and "Retrieve CRL from" feature is turned on under CA object properties.

FireWall module will communicate with the selected CA and try to retrieve the CRL.
If "Hide Cluster Members' outgoing traffic behind the cluster IP Address" is selected under "3rd part configuration", connection will be NATed to the cluster VIP.
The CA will get a request with a different IP inside the request data than the connection and may drop it.