Thanks for the responses!
1) I have no idea where "checkpoint" came from in the topic. I don't use Checkpoint and never have. I typed "Site to Site VPN with vMX on AWS". I've tried changing it and it keeps popping back to "Site to Site tunnel with Checkpoint"...
2) Yes, all four sites are behind other devices that are NATing. At least two are at Regus facilities (hiss!).
3) Three sites are Z1 (FW 12.26 or 13.33) and one is a Z3 (FW 14.16 up to date).
4) WRT jdizzle's question, "Have you tried configuring a manual VPN IP/port for your vMX?" are you talking about the remote spoke devices or a change on the vMX in AWS? I'm not quite following your question but would like to.
5) Really oddly, all four sites are now connected through the Meraki Site-to-site VPNs despite me making no changes. The connections took almost 48 hours to come up and they all seemed to have come up at the exact same time (which kind of makes me think it was something on the AWS side and not at the individual remote locations???). EDIT: looked into the logs and one site came up at 10:50:40, and the other three all came up at 10:50:43, (on 4/29) so they literally connected at the same exact second.
Thanks again and in advance.