*For the Fortigate

The Nautilus is offshore of American Samoa and is tunneling back to the HUB at URI using the same basic configurations as R/V Endeavor. We have been seeing periodic drops on the IPSec tunnel that don't align with what's happening on Endeavor, which could be related to the much longer path that Nautilus is taking.

We have been using Marlink beam 804 which downlinks in Napa Valley, CA. So although it's a very long path, the terrestrial network segment is no worse than California → RI which is not insurmountable, although this is a good stress test of using a non-optimal hub site.

• Ship: Fortigate 81F active/passive HA, v7.4.4
• Hub: Fortigate 61F active/passive HA, v7.4.3

• Anti-Replay false positives: Disabled replay detection in May due to false positives.
• Dead Peer Detection: First expected to see the problem due to VSAT drops and latency associated with the long path but the logs indicate them as rare occurrences, and do not align with observed IPSec outages. We used the setting for dpd interval as 2sec, with dpd timeout as 2sec.
• HMAC validation issues: Align with the observed IPSec tunnel outages on Marlink VSAT and could be the primary cause suspected for the current issue.

HMAC validation issue

The next troubleshooting step involves disabling hardware IPSec acceleration and relying solely on software IPSec decoding. This approach will help determine whether the issue is related to hardware acceleration, as software decoding may offer different performance under the same conditions. Given that the VSAT system includes error correction, it's unlikely that packet corruption is occurring during transit, so focusing on hardware-related factors can provide more insight into the root cause of the IPSec dropouts.