Hi
My definitive test of whether or not a node can download the CRL is to perform the operation manually on the node itself. And since this operation is performed on the PSN (not the PAN or MnT), you can test it as follows:
ssh to the PSN
on the CLI type the command (example: CRL server is 192.168.21.200 and http server running port 80)
telnet 192.168.21.200 port 80
GET http://192.168.21.200/CertEnroll/MEGA-MEGASERVER-CA.crl
<press enter>
If the command succeeded then you will see a mix of printable and non-printable characters on the screen (binary data) - the session will hang. This is a good sign that the PSN can load the CRL.
I have also found a way to force a PSN to load the CRL by toggling the setting in the GUI (disable, then enable the CRL download option) - this causes the PSN to fetch it.