Error validating proxy netscreen
What if you built this as a route-based vpn would the SPI error still be present? show vpn ike-sa ( phase1 related goodies ) show vpn ipsec-sa ( phase2 related goodies ) Once again very SRX like.
This might not be related but if building a VPN to a non-Fortigate gateway it is best to use plain IP addresses/subnets.# diagnose sniffer packet " udp and dst port 500" can display any communication issue between the initiator and responder.If you can keep it running until the next outage, that might report about some error that helps to troubleshoot the issue. If it randomly gets dropped, that might be the result of unreliable connectivity/interface issues not necessarily on the Fortigate (especially if it thinks that the VPN is up) You might be getting these messages because either the idle timeouts on both sides differ, or the PA device does not recognize the keep-alive packets correctly, and so times out.dl=0 it would be great if you can identify what is missing from my setting. Sorry I couldn't read any of those screen shots , too small ).Could your share the vpn-cfg as-is on the FGT & any diagnostics?