Have you made sure they are accessing via a rule that doesn't try to use user identity. We have found any device trying to get access through an XG that either isn't identified by STAS, SATC or a client often has random issues, especially but not limited to user identity rules. Even non user identity rules can be affected if you have configured STAS. You can reduce it by reducing the default 120s timeout for the user identity process, we've set it to 30 seconds that does fix most issues.
If my answer solves your problem please click Accept as Solution so others can benefit from it.