What Authenticator are you using to generate Passports (i.e. MLC, AD, etc.)?
What exact patch level are you running?
Are you using MLC 2.1?
What do you mean by 'I check under manage passports and see that they do not have a passport' and then 'Once I find a user who is inactive I revoke that passport'? Does this username already have a passport or not? Also, is this user logging in from the same IP the previous passport (if there is one) was created for?
You should also check on the MLC to see if it is going over its CPU limit and thus not sending new logon events to the firewall. I think the default is if the CPU on the domain controller goes over 75% then MLC will stop watching the DC logon events for 20 minutes. If this was the case, what you'd see is your users logging to their PC but when they go through the firewall they do not have a passport. This is because MLC has stopped watching the DC logon events and thus has not communicated to the firewall that UsernameA just logged in from IP 220.127.116.11.
There aren't any settings for 'max passports' so we are not hitting some type of limit there.
There are a number of disparate reasons this could be seemingly not working correctly (the MLC CPU went too high, the FW lost connection to the MLC so is caching old entries, etc.) or maybe this has nothing to do with authentication and Passport and there is some other reason the users get blocked. Investigating the audit while this is happening would be helpful (the new 'aconn' command-line tool at 8.3.2P03 can be helpful to determine why traffic is skipping the rule you believe it should be hitting).