We have a pair of load balanced ISA 2006 servers delivering a PPTP VPN service, the first server isa1 accepts VPN connections on it's real IP, and if the VIP happens to balance to it, that's fine too. Isa2 however, always fails at verifying username/password - and then fails with a cannot negotiate security. Disabling NLB fixes the problem - but then we loose the fault tolerance.
Any ideas whats likely to cause this? I thought perhaps it was an affinity problem and the connection was moving over to isa1 mid creation, but the problem also occurs using ISA2's real IP