I have some rules for third parties which we allow for remote VPN access which we have timed objects, when the third parties connect outside these hours in tracker it goes to the cleanup rule and gets denied . This can be confusing especially if you have multiple timed objects which are changed over time, if in doubt check the timed objects and that your gateway time match your tracker logs.