Local user works but ldap user fails login

Hi,

NSA2700

I have a successful LDAPS connection to an on-premise Server 2016 AD. All groups and users show up. Thank you Jean-Pier

I have TOTP setup for users and SSLVPN groups.

SSLVPN settings are for both LADP + Local. All users are members of SSLVPN

DNS is set to the on-premise DNS server everywhere on the Sonicwall.

Time does not seem off.

I can sign-into Virtual Office with either domain user or local users and get to the QR code.

Authenticator (MS, but also tried Google) app picks up the QR.

Turning on User access to WAN HTTPS breaks access to the on-premise public facing RDP server so that is not an option and also does not affect the local user so should not be the issue.

The QR code works for the local user but not the domain user. Local user connects to firewalled subnet successfully after the Authenticator code is submitted. Domain user shows failed login.

Thanks for any help.