I recently discovered that if you're using certificate-based IPsec VPNs with the Security Management Server (SMS) as the CA (not using purchased certificates), your VPNs can experience outages if the SMS goes down. The default certificate cache duration is 24 hours, but if the cache is close to expiring (e.g., at 23 hours) and the SMS goes offline, VPNs may start dropping connections after just one hour. This happened to me. Even if I extend the cache to 120 hours, the same issue applies.

I've come across an article about disabling CRL checking, at least during SMS upgrades. Can I just clarify that if I am using the SMS as the internal CA (without purchased certs) Do I need to do steps 1,2,3 or just steps 1,2.

I asked because of this:

"Note: For the imported 3rd-party Trusted CA (OPSEC PKI) that is used for certificate based Site-to-Site VPN, you only need to follow the "Part 1" and "Part 3" of the procedure below to disable the CRL for the 3rd-party CA object."

https://support.checkpoint.com/results/sk/sk21156

Thanks