CRL update script issue

Well, to your original point, updating a flat CRL in an LTM client SSL profile will indeed be seen as a configuration change - as intended. The problem is really twofold:

 

 

1. Your flat file local CRLs expire on some semi-regular basic, requiring an update that throws the peers out of sync

 

2. Automatically syncing peers, without some oversight, is generally not a good thing

 

 

The root of the problem is that the object you need to update is system-dependent, which would apply to ANY object that you updated on one of the peers. The answer to this problem is really to avoid a system-dependent mechanism for certificate revocation. The Access Policy Manager module alleviates most of the pain of local CRL management with more robust certificate revocation mechanisms (OCSP and CRLDP) and is not system-dependent (aside from its static configuration).