Issues have been observed with hub communication when there is an SSL tunnel between hubs, but the hubs are on the same LAN or WAN and can communicate freely across the normal hub port (48002).
The hub routing can get confused about the routing and try to inappropriately communicate locally on port 48002 when it is expected that it will communicate over a tunnel.
Any environment with tunnel configuration, when the port 48002 is reachable on the network.
The recommendation of CA is to only use a hub-to-hub tunnel when it is necessary to traverse networks (e.g. across the internet or firewalls).
If local, port-48002-based communication is available on the network, do not use a tunnel unless absolutely necessary (e.g. for encryption purposes).
If it is necessary to use a tunnel in such an environment, you will have better success if you block the local communication path (port 48002) in both ways to ensure that the hub doesn't try to bypass the tunnel.