PANOS = PalaAlto Network OS the software that runs the PA.
A invalid SPIs are most likely in the phase2 so the IKE debug is not going to help;
these are see when a new SPI switchover or one side expires a SA by byte-sent or seconds before the other from my experience
Here' s what I would do;
monitor the ipsec sa ( FGT )
diag vpn tunnel list name <
the tunnel name > | grep spi
On the PA500 monitor the counters for the tunnels and drops
show vpn flow tunnel-id <ID>| match spi
( to get the current SPIs it should match the fgt in/out from the above commands )
show counter global filter severity drop
show counter global filter severity drop aspect tunnel category flow ( look for the bad or wrong SPI counter )
Also you should monitor the keylife for the SAs ( in & out ) should be almost identical. I think on the PA you can set the timeout to seconds only and not the number of bytes, but I will have to check my PA200 for that.