No fix is required; the system is functioning as designed.
By design, authentication for users located in a nested group is not supported for Mobile Access and VPN.
As a workaround, configure a dedicated LDAP group
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.