Ok , is clear now !!
Well , I did some tests while waiting for your reply , unfortunately my asa is down at the moment , so i did with an cisco isr….isn’t the same , but for the purpose could also be….host win7 , lan behind Zs , authenticated on the Captive portal … then launched the cisco vpn client (VPN_CLIENT to another site , where the cisco isr vpn server is listening ( on this second site , there is another Zs placed into a DMZ of the cisco router/fw/ips , that acts also as radius server for vpn auth. ) the vpn is ipsec/udp (500/4500) , this is the 1st log of the cisco vpn server regarding the connection

22:26:52 002312: Oct 4 22:26:52.288 Rome: ISAKMP: local port 500, remote port 56021

some logs later

22:26:53 002418: Oct 4 22:26:52.884 Rome: ISAKMP: Trying to insert a peer, and inserted successfully 86914934.

all the rest goes well , and the connection is established correctly, so , in my case , I would say that ZS doesn’t change the udp 500 can take a look , on ZS , firewall , conntrack , fill the filter field with “10000” , then try to connect via vpn client , and click on refresh button… this is my output , I put 500 in “filter” field

udp      17 159 src= dst= sport=50692 dport=500 src= dst= sport=500 dport=50692 [ASSURED] mark=0 use=1
udp 17 170 src= dst= sport=50693 dport=4500 src= dst= sport=4500 dport=50693 [ASSURED] mark=0 use=1

Try , and let me know…