I'm not sure I follow the topology now. Are you saying there are two paths between spoke a and the data center hub site?
If so, asymmetrical routing could cause failures.
Since this does work in one direction this tends to validate the routing and point to a policy in the non-working direction blocking traffic.
On the SSG policy log view there is column for counts on the policy in both directions "bytes sent" and "bytes recieved". this is where I was suggesting to look. Trying to see a policy where only one direction is counting for the non-working direction. Meaning the traffic comes in one direction only.