I experienced this exact same issue. It is due to STAS and how the firewall drops traffic while trying to figure out who the user is. I has to stop using STAS until Sophos comes up with a better implementation. I have 2 XG230's running in a cluster with multiple RED sites. The RED sites experienced the problem more than the users directly behind the XG. Both Domain Controllers are behind the XG and all RED sites use those. The XG takes way too long to identify the user and thus cause connectivity issues and show the yellow exclamation point as you saw.