Are you sure that all of the exchange traffic is getting internal ip address resolutions from DNS and using the tunnel?
I have seen this type of behavior occur with split DNS and some of the traffic is using the public and some the private connections.
Also confirm the logging on both firewalls at the client site to determine which policy the traffic is using and what the log says the traffic is classified as.
If you could get a packet capture on the client whent the connection is disconnected we could also see the communication and reason for the disconnect.