In a dual-hub SD-WAN architecture, a spoke can dynamically switch the path for an existing session from one hub to another based on performance SLA changes. Each hub maintains a separate IPsec security association (SA) with the spoke. If IPsec anti-replay is enabled on the hubs, the second hub will drop packets for the failed-over session because their ESP sequence numbers will be outside its anti-replay window. This breaks the session. Disabling anti-replay on the hubs is therefore a mandatory step to prevent this check, ensuring that TCP sessions can survive the path change and fail over seamlessly between the two hubs.

A. Anti-replay is an IPsec ESP security feature to prevent replay attacks; it does not manage TCP packet reordering for end-host applications.

C. While disabling the check can yield a negligible performance gain, the primary and critical reason in this design is to enable session failover, not to improve performance.

D. The IPsec anti-replay setting is a Layer 3/4 function and is entirely separate from Layer 7 content inspection performed by security profiles.

1. Fortinet. (2022). SD-WAN for FortiOS 7.2 Study Guide. Page 100, "Dual hub (hub and spoke)" section. The guide states, "On both hubs, you must disable anti-replay in the phase 2 configuration for the ADVPN tunnel. This is required because traffic can switch between hubs, and the sequence number check will fail."

2. Fortinet. (2022). FortiOS 7.2.0 Administration Guide. In the "IPsec VPN" chapter, the description of phase 2 settings clarifies that anti-replay is an IPsec function to protect against the retransmission of packets. Its disablement is a known requirement for certain asymmetric routing scenarios, such as dual-hub SD-WAN.

3. Fortinet. (2022). FortiOS 7.2.0 CLI Reference. Volume 2, page 1738. The command set replay {enable | disable} under config vpn ipsec phase2-interface is documented as enabling or disabling IPsec SA replay detection, confirming it relates to the IPsec tunnel, not directly to TCP.