The NPS logs are not showing any errors, Reason-Code always returns 0 for both remote sites and HQ. That being said, the failing connections are never getting an Access-Reject packet.
For the remote sites, we are seeing the Access-Request and Access-Challenge packets followed by an Access-Accept. For HQ, We are only seeing Access-Requests and Access-Challenges over and over, but never an Access-Reject. When we look in event logs, we can see successful connections from remote sites, but never the failed attempts from HQ. We only see those in the NPS logs.
At one point, we made a change to the MTU just to see if clients are seeing the change. We can see the MTU change reflected in the logs from remote sites, but not from HQ.
Here's a success from remote site

Here's a failure from HQ (over and over until a timeout I assume)