Slow AFP login

This started as a Lion Server issue but the problem is still present after upgrading to Mountain Lion yesterday. Logins to sharepoints via AFP take about ~30 seconds for authentication. That's 30 secodns after submitting username/password credentials before being presented with a list of sharepoints to choose from. It's the same delay whether selecting the sever from the sidebar or using a URL/IP address in connect to server. Strangly though, this delay only exists for the connections to the server on the LAN. Connections via "VPNing" into the network and then using connect to server with the same IP address do not get any delay at all. Same when enabling a port forward for AFP connections. Only connections from clients on the same subnet as the server are affected. The issue only affects OD accounts. Local accounts on the server always login at normal speeds.

There are multiple external services that authenticate users from this OD server including a Kerio Connect mail server and a wordpress installation to name a few. All do so without any errors or slow downs.

There are no errors in any od/password server/kerberos log I can find to explain the slow down. Using a Bonjour browser confirms on the correct IPv4/6 addresses are being advertised for the AFP service.

Configuration:

ML 10.8.3

OD Master with one remote replica (also experiencing same symptom of fast via VPN and slow on LAN)

Static IP, correct forward and reverse DNS setup (changeip -checkhostname reports success)

DNS is external, not on same server

Only file sharing, caching, time machine and OD are running on the server

Troubleshooting so far:

This server started life as a Lion server and everything was great. Then there was an ISP change. Once the new internet connection was live the server had lots of problems authenticating users for a couple of hours. Then the problems went away by themselves while we were still troubleshooting. Nothing had changed, just suddenly everything was authenticating successfully. But AFP authentication was slow with this 30 second delay.

The server has been archived, demoted to standalone, promoted back to a master and restored. The issue is unchanged. The archive has been restored to another server setup with the same configuration (hostname, network settings, etc) in a test environment and the issue is not present so it's not something contained within the archive.

A strange thing happened after the restore however. A few hours after the restore, the server app would only see local users and groups. Workgroup manager could see the directory users but would not accept the directory admin credentials even though the same password worked on the replica. Using command line tools to reset that password to it's correct value didn't work either. So the server was upgraded to Mountain Lion. After the upgrade the new server app could see all the directory accounts and the admin account password was being accepted by the 10.8 version of workgroup manager.

I'm at a complete loss to understand why the authentication process would have this delay for clients on the LAN vs clients connecting via a VPN connection or port forwarding from the internet. Anyone ever seen anything like this or have any tips on which logs to look at to get further information?