My personal suggestion would be to try a less complex authentication method to start with (pre-shared key instead of the certificate) and see if this increases reliability. If it does, it could be something to do with the certificates you are using.
You can also consider increasing the logging level for the ISAKMP service as this may help you to understand better why the Firewall believes there is no matching security association at that time - the suggestion being that the Shrewsoft client is sending different information to what the Firewall is expecting and, as a result, it cannot match the request to any configured SA. By increasing the logging on ISAKMP it could tell you a bit more about what is going on. Once you've established a possible cause you can then return the logging level back to normal.
While I don't believe it is officially supported by McAfee, I think you will find there are a couple of KB articles concerning the configuration and use of the Shrewsoft client and I'm pretty sure I've seen it being discussed in this forum previously. Type "Shrewsoft" into the search field in the top right-hand corner of the forum and it should return all the revious discssions on this subject.