Always on VPN intermittent Error 812

Hi all

I've been battling with this problem for weeks and wondering if anyone has any ideas

I have the following setup:

2x Windows Server 2016 RRAS servers behind NLB (2x network adapters on each 1x "internal" 1x "external" )

1x Windows Server 2016 NPS in same "internal" subnet as RRAS servers

1x Backup Windows Server 2016 NPS in Azure (although I have tried removing this from the configuration completely for testing purposes which did not help)

Configuration is basically as per the following article:

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment

Using an internally signed user certificate and PEAP authentication

I'm only using the user tunnel for the moment not the device tunnel

The users are intermittently getting Error 812 - "The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error."

If they hammer the connect button or wait a few mins and try again it will eventually connect. Once the connection is made it works reliably

I'm getting the following errors on the RRAS server when the failure occurrs:

Event 20271:

The user <USER UPN> connected from <USER PUBLIC IP> but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Event 20255:

The following error occurred in the Point to Point Protocol module on port: VPN2-497, UserName: <Unauthenticated User>. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Any help greatly appreciated i've been banging my head against this for weeks