Two DSS servers. One is offline, the "primary". One is not, the "secondary".
In Juniper VPN Radius configuration one can specify a primary Radius server and a secondary, backup Radius server.
When the secondary DSS is set as Primary Radius in Juniper authentications work with Defender token. When the Primary Radius is the primary DSS (which is offline) and the backup Radius is the secondary DSS - the authentication fails.
When we look at the secondary DSS log, we see the authentication attempt, but it is being "abondoned".