Any updates on what caused/how to fix?
I think I've got the same problem.
Updated our controller from 6.3.1.7 to 6.3.1.9 earlier in the week then all the RAPs started failing to connect.
I've reset my RAP and tried to connect again and get the same logs that you got.
Tried rolling back to 6.3.1.7 and the saved config from Monday.
Hasn't resoleved, so rebooted back to 6.3.1.9
#OK, solved my problem.
Someone had done a repair from Airwave, and it looks like it removed the static default route from the controller.
If yours is the same... I did show datapath session | include 4500
I could see all the external RAP IPs, but was getting status of FY (Fast age, no syn)
Did a show crypto ipsec sa
And only showed the master and local connections.
Checked the show ip route and found the master had the static route from the local rather than its own one.
Then made sure I had smaller routes for 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 for the internal gateway
And then changed the static to match the currect gateway for the IP the RAPs connect to.
Big thanks to James @ Aruba in Wellington NZ for pointing me in the right direction