You also say this is a route-based VPN? That generally implies universal tunnels ("tunnel per gateway") but DPD is still optional. Is the peer's 10.x IP something you wrote for sanitization? Just want to be sure so it's not being mixed up with the numbered VTI IPs. Even with route-based VPN, the IKE peer IP should still be the IP of the interoperable device.
The debug shows "ikev2" here. Search the debug and see if your gateway was acting as Initiator or Responder. You can search for "Here's the IKE SA we dug up" and the stanza after that gives a concise output (assuming all went well enough up to this point) and shows "initator=..." ("me", or "peer").
To try to normalize some things, and keeping with route-based VPN, I'd suggest switching [back] to:
* Tunnel management: tunnel-per-gateway
* Edit the gateways list in the VPN community and override VPN domain for both gateways to only be empty group objects
* Disable permanent tunnels
Bonus (if PAN can agree:
* Encryption: IKEv2 Only, VPN Suite B GCM 256 (Phase1: AES-256/SHA-384, DH Group 20 [ecp384], Phase2: AES-GCM-256 (implies SHA-256), DH Group 20 [ecp 384]). Otherwise, get it as close as you can.
You're welcome to share any other debug snippets if you'd like.