Hello @SdanteMate have you looked into the Event Viewer for any information?

@SdanteMate , I would start looking at the smart log first for Identity awareness logs. Filter by time of the issue and check here for login logs and no logoff events for the affected users.

Once there are no logoff logs, then check for Identity awareness LDAP fetch log for the user and confirm if the groups are correct per access role.

Running the following two commands on the firewalls during the issue will show any issues with Identity awareness gateway processes (PDPD and PEPD):

PDP Gateway:

pdp monitor user <affected user name>

PEP Gateway:

pep show user query usr <affected user name>

Opening a TAC case will help you to investigate this further.

So it sounds like the user gets their IP->User mapping successfully for group access when they log in, then they lose the mapping early.  There are several causes for this:

1) Watch out for automated service accounts firing up on the user's workstation, logging into the domain, and overwriting the user's mapping.  You should be able to see this in the logs for subsequent connections from that user's IP, and the user name will show up as "backups" or whatever the service account name is.  Make sure all service accounts like this are excluded from forming mappings on the gateway/cluster object under AD Query...Advanced...Excluded Users/Machines.

2) Check the gateway/cluster's User/IP Association timer and make sure it is greater than the kerberos reticketing interval for AD.  Usually the AD interval is 8 hours (with the firewall set for 10 or 12 hours) but I've seen cases when the AD administrator increases the reticketing timer to reduce load on the controller, and users lose their mappings early.

Note that if the user locks their screen and unlocks it with their domain credentials, their mapping should be reestablished and it is probably one of the issues above.  If that doesn't get their mapping back there are deeper issues at work here.