Intrigued!! Can you configure "set netdevice enable" on the server end
FGT IPSEC tunnel Con1. This will cause the fortigate to create a virtual
interface for all incoming IPSEC connections. Keep ecmp mode as
source-dst-ip-based and test.
If your config is as I have mentioned then this behavior is due to
default ECMP (source-ip based) and is expected.
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/25967/equal-cost-multi-path.
https://community.fortinet.com/tpykb84852/att...