RDP not working over Azure S2S VPN with Palo Alto

I ran into an interesting issue with a customer this week. We were deploying a route based VPN from Azure Resource Manager to the customer's Palo Alto PA-5020 running PANOS 7.1.8. We were able to stand up the VPN tunnel easily enough but we could not RDP to VMs running in Azure using the VPN while RDP using the public IP worked. We could open port 3389 via a telnet command, but RDP would time out. When running a network trace we saw a fair amount of re-transmits so as a troubleshooting step we lowered the MTU to account for VPN over-head. This didn't help for our use case. The fix turned out to be selecting "Enable NAT Traversal" (the VPN device was not behind a NAT) on the IKE gateway.

MTU Setting:
MTU Setting

NAT Setting:
NAT Setting

We don't (yet) have a good reason as to why this setting solved the RDP issue. I'll comment on this when I know, and if you have some ideas, please feel free to comment.