User AD accounts are locked after 2 failed login attempts when VIP 2FA is involved. A single login can look like the user used a bad password twice. 

Refer to Delegation and authentication workflow in VIP Enterprise Gateway version 9.8 and later. 

Per the above KB article, this can happen when a user inputs an incorrect AD password+incorrect security code in the password field. In this scenario, the VIP EG attempts to validate the security code against the cloud and the remaining password against LDAP. This is the first invalid password attempt. The security fails so the full user input is passed to LDAP as the user's password. The incorrect password is the second invalid attempt.

This scenario is uncommon since it requires a user to use both an invalid password and an invalid security code at the same time, twice in a row. Unlocking the user's AD account is typically enough to solve the issue. If it happens often, admins can consider:

• Implementing PUSH notifications to mobile devices. This removes the need for the end-user to manually enter a security code.
• Add a separate 'security code' field to the login form.
• Increase user lockout thresholds for invalid passwords in AD.