Verify on the controllers that IPSEC endpoint IPs on the controllers ARP to the correct MAC addresses. If not, look for proxy ARP problems, e.g., check that the firewall and routers on the distribution network agree with the netmasks assigned to the vlan and are not seeing packets that they think need fixup with proxy-ARP, as hairpins through a firewall are likely to be administratively prohibited.