Sounds like you have the right config already. As phoneboy said, maybe do some packet captures to see what gives. Some examples below (lets just assume client IP is 1.2.3.4 and gw ip is 4.3.2.1)

On gateway (expert mode)

fw ctl zdebug + drop | grep 1.2.3.4

fw monitor -e "accept host(1.2.3.4) and host(4.3.2.1);"

fw monitor -e "accept port(18234);"    (18234 is tunnel test port)

fw monitor -F "1.2.3.4,0,4,3,2,1,0,0" -F "4.3.2.1,0,1.2.3.4,0,0"

Idea in last command is this "srcIP,srcPort,dstIP,dstport,protocol" and then 2nd one is just other way around

Let us know what you get.

Hope those help.

Im fairly experienced in Foirtinet (though nothing like few of my colleagues lol), but you can also do packet capture there as well. I know in any 7.x.x version, its available via GUI, or just via cli:

diag sniffer packet any host x.x.x.x 4 50

This is in latest 7.4.0 version

Andy