VPN

Why does Windows RRAS stop accepting IKEv2 connections after a reboot?

Brief description of the problem:
Windows RRAS refuses to accept IKEv2 connections after restarting the service and/or computer.
Details:
I'm trying to set up a VPN server based on Windows Server 2012 R2. The VPN server is included in the domain. The domain has a certificate authority. This CA issued a certificate with an application policy of "Server Authentication" and "IP Security IKE Proxy" for the VPN server. The root certificate is installed in the computer store on the server and client.
Once configured, the VPN server is up and running and accepting IKEv2 connections.
However, if the service is restarted (and it will be restarted anyway if the server needs to be restarted), then the clients start receiving error code 13801.
In the event log on the client, you can find the following message "CoID={728166D6-3FD2-412E-8C7A-13660AC739A1}: User %domain%\%username% established a remote connection vpn.%domain%.org which failed. Error code returned 13801
The following message can be found in the server event log "CoId={728166D6-3FD2-412E-8C7A-13660AC739A1}: The following error occurred in the Point to Point Protocol module on port: VPN2-481, UserName: <Unauthenticated User> . Negotiation timed out".
The technet site says that such an error can occur in 4 cases:

• The certificate will expire - it's not
  
• There is no root certificate on the client - this is not the case
  
• The subject name of the certificate does not match the computer name - it is not
  
• The certificate does not have the required application policies - as far as I can tell, this is not the case either
  

Question:
How to solve this problem?
Addition:
After restarting the server, L2TP, SSTP, PPTP work. Only IKEv2 falls off.