The LEM appliance listens for SSH on port 32022 instead of 22, so that might be your first thing to validate (easy mistake).
If you haven't done a "restrictssh" on the appliance (off by default - that lets you whitelist only certain IPs), my next guess would be that their forward/reverse DNS might not match. Sometimes we see the SSH server reject connections where the hostname they say they are coming from doesn't match the hostname reverse looked up by their IP (e.g. if you're connecting from machine1.domain.local 192.168.1.22, nslookup 192.168.1.22 returns machine2.domain.local, it may reject the connection).