Two key points for site-site VPN with one static and one dynamically addresses controller configuration:-
1. To support site-site VPN with dynamically addressed devices, we must enable IKE Aggressive-Mode with Authentication based on a Pre-Shared-Key.
2. The Aruba controller with a dynamic IP address must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be configured as the responder of IKE Aggressive-mode.
So in this case, since 3400 controller has the static public ip, this should be configured as responder and the other end A620 should be configured as initiator.
Hope this helps.
Thanks