You may want to tell the client to try this, assuming they are using Cisco VPN Clients for Windows:
Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls
When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the
NAT/Firewall device may be closed due to the VPN Clients keepalive
implementation, called DPD (Dead Peer Detection). When a Client is idle, it does
not send a keepalive until it sends data and gets no response.
To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the
following parameter and setting to the [Main] section of any *.pcf (profile
configuration file) for the affected connection profile.
ForceKeepAlives=1
This parameter enables IKE and ESP keepalives for the connection at
approximately 20 second intervals.
For more information, see Connection Profile Configuration Parameters in the
VPN Client Administrator Guide.