This issue could stem from several potential causes related to the upgrade from FortiOS 7.4.4 to 7.4.6, particularly with how the FortiGate device and Juniper device interact after the upgrade. Here's a list of troubleshooting steps and suggestions to help you resolve the issue:

1. Review Release Notes and Known Issues

• FortiGate Version: Always check the release notes for FortiOS 7.4.6 to see if there are any known issues or changes to IPsec behavior that could affect the VPN tunnels, especially regarding compatibility with certain devices like Juniper.
• Juniper Compatibility: Check if there are any specific changes or requirements on the Juniper side in relation to FortiOS 7.4.6.

2. Check the VPN Logs

• FortiGate Logs: Look for any error messages or alerts related to IPsec tunnels (VPN logs) after the upgrade. Focus on errors related to negotiation issues, phase 1 and phase 2 mismatches, or anything indicating communication failures with Juniper devices.
• Juniper Logs: Similarly, check the logs on the Juniper side to see if there are any related messages indicating why the tunnels went down.

3. Revisit Tunnel Configuration

• Reconfiguration Impact: The fact that the tunnels came back up after reconfiguring the Juniper side suggests that there may be a configuration mismatch or some dynamic issue in the tunnel establishment. There might be a change in negotiation parameters that FortiOS 7.4.6 is handling differently.
• Check Phase 1/Phase 2 Settings: Ensure that the settings for Phase 1 (IKE) and Phase 2 (IPsec) are correctly configured on both sides, particularly:
  • Encryption and hashing algorithms
  • Diffie-Hellman groups
  • Lifetime settings
• Key Exchange Methods: Verify if there are any key exchange protocol changes or issues. For instance, if the FortiGate was upgraded, some underlying protocols or defaults might have changed, and reconfiguring the Juniper side might have fixed mismatches in key exchange settings.

4. Check the Tunnel Monitoring Configuration

• Dead Peer Detection (DPD): Ensure that DPD settings are correct. Sometimes, tunnel monitoring parameters can behave differently after upgrades, especially if there is a discrepancy between how FortiGate and Juniper handle DPD or keep-alive messages.
• Timeout Settings: If the timeout or rekeying intervals have been changed post-upgrade, it may cause the tunnel to go down unexpectedly. Ensure both devices have the same timeout/rekey settings.

5. Check for Session or Resource Exhaustion

• Resource Limits: With 300 tunnels, it's possible that the device is hitting some resource limits after the upgrade. Look for any signs of CPU, memory, or session resource exhaustion on the FortiGate device that could affect the stability of the tunnels.
• VPN Sessions: Check the number of active VPN sessions and see if there’s a limit being reached after the upgrade. Sometimes, with new firmware, new sessions may need to be handled differently.

6. Rekeying/Resynchronization

• Manual Rekeying: If the tunnel remains down after the upgrade, try manually triggering a rekey or session reset to see if it brings the tunnel back up. Some VPN issues can be resolved by forcing the FortiGate to reset its VPN connections.
• Session Resynchronization: Consider performing a full re-synchronization of the VPN configuration on both the FortiGate and Juniper sides to ensure that both ends are correctly aligned.

7. Check for Firmware-Specific Bugs

• After an upgrade, firmware bugs can sometimes introduce instability in specific configurations. If the issue persists, it might be worth raising a case with Fortinet support to see if there’s a known bug related to tunnel stability in FortiOS 7.4.6 and get their input or patch suggestions.

8. Test with a Controlled Set of Tunnels

• To isolate the issue, try disabling a few of the problematic tunnels and test with a smaller group of tunnels (maybe 10-20 tunnels) to see if the problem persists. This could help you identify if there's a particular pattern or configuration causing the issue.

Conclusion:

This issue could be related to changes in how FortiOS 7.4.6 handles VPN tunnel negotiation, rekeying, or resources, possibly causing some tunnels to fail during establishment or renegotiation. Reconfiguring the Juniper side likely resolved a specific parameter mismatch between the two devices. Carefully reviewing the configuration, logs, and settings on both devices will help pinpoint the underlying issue. If all else fails, contacting Fortinet and/or Juniper support with specific log details could expedite a resolution.

We have a similar Problem here: We couldn't get an ipsec tunnel working with a remote juniper on an fgt with v7.4.7. The tunnel ist getting up, shown pahse 1+2 online, we can send traffic through the tunnel (tx is shown also on the interface), but get no data back (no rx traffic on the ipsec interface). On the Juniper side the traffic send from the fortigate appears and also answers are send into the tunnel (rx und tx traffic ist shown) , but it is not arriving at the FGT Site ... 

On a fgt with 7.2.10 with the same configuration everything works fine.