RDP over IPSec fails

I have a weird problem and I can't seem to figure out what's going on.

I have two customers. For one of them, I have configured an IPSec tunnel between an ISA Server and a Cisco 877. For the other one, I have configured an IPSec tunnel between two Cisco 877 routers.

At customer one, I can start an RDP session from the Cisco site to the ISA site, but fails from the ISA site to the Cisco site.

At customer two, RDP fails in both directions.

I have done a capture of the traffic between the sites. What I noticed is that when I try to establish the RDP connection, the client computer sends a SYN, ACK, the server receives this packet and responds with an ACK, but the ACK never reaches the other side of the tunnel.

I have searched the internet for clues, but most articles and forum posts I have found suggest MTU/packet size/fragmentation problems. The reason I don't think my problem has anything to do with those, is that the size of the beforementioned ACK packet is only about 64 bytes.

I have tried to figure out what the Cisco router does with the packet, but I don't really know which debug commands to use. (I tried debug ip packet <# of acl> and debug crypto ipsec, but they don't provide useful information.) Can anyone recommend debug commands that may provide clues as to what might go wrong?

If anyone has any ideas or suggestions, I'd be very happy to hear them.