A switch port trace of either ZD or AP port will provide all the necessary information.
If trying to bring up new APs, confirm you have routing between the AP and ZD,
and you may need a DHCP option 43 or DNS 'zonedirector' hostname defined
with your ZD's IP address. If there is network connectivity but AP isn't seen trying
to connect, you can also SSH to your AP and give the CLI command 'set director
ip a.b.c.d' where a.b.c.d is your ZD's IP address, followed by 'reboot'. After the
reboot, the AP will send LWAPP discover to your ZD's a.b.c.d IP address.
If all else fails, open a ticket with Tech Support for further troubleshooting/assistance.
Aren't the LWAPP packets within the tunnel? I know in the Cisco WLC-5508 you have to troubleshoot CAPWAP and LWAPP by enabling the LWAPP log messages within the controller. Is there a way to access the LWAPP messages within the ZD's log messages to troubleshoot the connection between the ZD and AP in more detail?