In the controller's CLI, can you show the output of
show datapath session table | include 4500
Is anything coming in from that remote location? If not, the RAP isn't getting to the controller.
Things to check
1. Is udp 4500 allowed in through a firewall (if any)
2. Is the RAP whitelisted and in right AP group?
3. Is the L2TP pool created in VPN settings?
4. Is this L2TP pool assigned to the default-vpn-role in Access Control?