As Connor suggested - use packet capture to understand what's going on, first. My experience is that, in many CG-NAT cases, you can work around by reconfiguring your VPN Hubs to use Manual NAT traversal.
Security & SD-WAN > Configure > Site-to-site VPN change from NAT traversal = Automatic to Manual : port forwarding,
Specify a particular public IP and associated UDP port number for the VPN service to reside on. The upstream firewall, behind which the Hub NATs, will need to be configured to match (to forward this traffic to the MX by its real IP, port unchanged). I’d recommend choosing a port between 1025 and 32768, but avoiding 4500.