What access method are you using? If you are using L3 VPN then its oblivious to the application so my guess is when the insert/update operation is performed the network traffic is not going through the tunnel and the application fails.
As a starting point you can create a test role with split tunnelling disabled and open ACL *:* If it works with this config then it point to a config issue.
The other option is to start packet capture on the client (on all active network interfaces) just when someone attempts an insert/update. And look at the captures to see what traffic went out of which interface.
I would suggest a test slightly different from Ruc [b]only[/b] because I am aware of an issue on some clients in which split tunneling causes the problem: can you test with split tunneling disabled (if it is not already)?