Ah, that is the difference between our setups, i also run the configuration top down (master sending out config to the clients on change and reload) but in my setup the satelites are actively connecting to the master since most of them are behind firewalls. So they initiate the TLS connection, once established the master sees them as online and sends out the config. The master itself never actively initiates a connection since he would hit a firewall in just virtualy every case. Maybe that is the way to go for you too?
If that does not work i am missing a key point somewhere in your config as i too can not see where that might come from.