Check your default GRE timeout in the NetVanta. I believe it is 60 seconds.
ip policy-timeout gre 60
You can see the default setting through a "sh run verbose" in the CLI. You likely need to increase that. Does the VPN client have a keep alive timer? The goal would be to set it just slightly longer than any keep alive timer on the VPN connection (for example, if the connection sends a keep alive packet every 5 minutes, consider setting the timeout value for GRE to 6 minutes, or change the VPN keep alive to under 60 seconds).
You should be able to see the outbound connection in the policy table of the NetVanta using the CLI. You can't keep the table loaded in "real time" exactly, but you get the real time output of open connections when you run the command.
# sh ip policy-sessions
Look for the destination IP and the internal source address in the table and check the ports that are in use.
Yep! That was it!
Thank you so much for your insight and help. My VPN users are much happier.