I have had issues in the past with VPN products not going through an Aruba necessarily, but going through a NAT. I don't mean to point out the obvious but 'traditional ipsec' does not use TCP or UDP hence it can have issues with nat. I know some devices do sometimes use the spi index to overcome this lack of epheremal source ports on ipsec packets.
I guess you have checked the log on the controllers for packet drops right?
Most decent clients nowadays use nat-t (UDP 4500)
Check the data path session table too?
Anyone know if there is a nat timeout value?