There is a common scenario where the IPsec tunnel is stable and routing/policy is also correctly configured, but traffic is still unable to reach the destination.

The encrypted packets are incrementing and as per sniffer packet is also leaving the exit interface correctly but the other side has not received the packet. The same issue is reported at the other end as well.

Especially for a TCP connection, there are a lot of TCP sync retransmission in Wireshark since the handshake was never completed due to this.

Custom DSCP/TOS marking from the source machine in a data packet may cause the packet to get dropped in transit.

To overcome this situation, it is possible to apply the below commands to both the ingress and egress Firewall Policy on each end of the tunnel.

config firewall policy
    edit <id>
        set vlan-cos-fwd 0
        set diffserv-forward enable
        set diffservcode-forward 000000
        set diffservcode-rev 000000
    end

In the case of policy routing, this mismatch can also occur if the ISP assigns a different queue to each TOS value, and then based on the configuration it will be allowed/denied/or put to the low priority queue.

In this case, it's worth checking with the ISP about what is TOS configuration on their end.

When using an IPsec tunnel, the FortiGate will automatically use the DSCP value of the inside packet, on the encrypted ESP packet. Either set the DSCP value on the Firewall Policy as seen above, or modify the Phase 2 to force the DSCP bits to be 0 by running these commands:

config vpn ipsec phase1-interface
    edit <tunnel>
        ...

              set npu-offload disable

              ...

     next
end

config vpn ipsec phase2-interface
    edit <tunnel>
        ...
        set diffserv enable
        set diffservcode 000000
        ...
    next
end

See more details on this article: Configure DSCP for IPsec tunnels | FortiGate / FortiOS 7.6.1 | Fortinet Document Library.