clients unable to browse internet at remote site.

Ran into a strange issue today where clients connecting to the wifi at a remote building were unable to browse the internet but the wifi says there is internet, The clients can resolve names through nslookup they can ping wubsites but can not browse (connection times out)

The set up is a bit strange but here it is.

Remote site has a cisco switch, it has a trunk port to the fortigate, that port is assigned to a software switch. 

There is a site to site vpn configured with vxlan encapsulation and that vpn is in the software switch too.

In the main campus there is the same basically vpn and a port in a software switch and the port trunked to the core network. 

There seems to be good connectivity as the APs in the remote site can connect to the wifi controller in the campus and the building access system also talks back to the servers.

I just can't work out why if the client can resolve dns and ping and traceroute to website that it can no browse. I have checked all logs and there is nothing blocking the traffic. I have also tried statically assigning a dns server on the client.

Any ideas would be appreciated.