We need more information on your setup. You say you are trying to convert to a RAP "over VPN". Do you mean that the location where the RAP is has an existing VPN connection to the corporate location; or do you simply mean "RAP over VPN"?
Some things to check:
- Does your firewall see any incoming requests from the IAP's external IP?
- If so, confirm you have UDP 4500 open and not TCP 4500
- On the IAP, have you looked at "show log convert" to see if you have any details in there.
- If the answer to my first question is that the RAP is at a site with an existing VPN connection back to the controller site; try to see if you can convert using the internal IP of the controller.....some firewalls do not like the traversal from internal to external IPs and then back in.