Are you running iap 4.0+ and AOS 6.4?
If so, please see this note.
From Controller 6.4+ release and IAP 4.0+ release, IAP can form VPN tunnel to controller only if they are
managed by Aruba Central or Airwave; not if they are locally managed.
If one wants IAP pre-4.0 VPN deployments or locally-managed IAPs to form VPN tunnel to an AOS-
6.4+controller, a configuration is explicitly needed to bypass this check. To allow a single branch or all
branches use the following commands
iap trusted-branch-db add mac-address
iap trusted-branch-db allow-all