They are aggressive mode VPNs with dynamic public IP at the other end. IKE configuration looks like this:
username@fwname_node0> show configuration security ike gateway 153001-TunnelNameCensored
ike-policy 153001-TunnelNameCensored;
dynamic hostname something.something.local;
external-interface reth0.0;
{primary:node0}
username@fwname_node0> show configuration security ike policy 153001-TunnelNameCensored
mode aggressive;
proposals pre-g2-aes128-sha;
pre-shared-key ascii-text "$something"; ## SECRET-DATA
The message itself is pretty self-explanatory, but the reason for it is not. The tunnel is up and the configuration is very simple. Maybe the lack of DPD and monitoring? Although we do have a lot of tunnels with both disabled that are not showing up on the same list.
To clarify, it's not about one tunnel but some 20 out of 120 tunnels on the same firewall. The other end of this example tunnel feels just fine and shows zero inactive tunnels and one active. Doesn't also seem to be every aggressive mode tunnel, just some.