Hi,
1. Because their home cluster is configured to be in the second cluster (EU), you must ensure that you open all the relevant firewall policies that the source address will be the network that they reside on when they are in India / EU. I would also just check in the Firewall itself, when a user is trying to login, which ports are getting blocked and also open them.
2. Makes sense, defiantly RTP ports that are blocked in your Firewall. You must open RTP ports in bi-directional traffic, from the VPN voice users to the CUCMs / GWs (better to both of them, just in case, but totally depends on your configurations). And of course, from those CUCMs & GWs back to the VPN voice users. Also, check that you have routes that route the traffic from the VPN users to the CUCMs and GWs.