When a user connects to the SA/MAG for the first time a User Record is created in the cache to store the user's information, part of which is a unique User ID. Depending on configuration and cache size, the existing User Record will be used and updated whenever the user starts a new session unless the User Record has been removed.
As it is possible to allow a single user to have multiple sessions the Session ID is the User ID with the unique session number appended to the User ID value. If the user multi-sessions option is disabled then the session number will always be six zeroes, so the Session ID will be the User ID with '000000' added at the end.
For more information on User Records, see What are 'user records' and what causes them to be persistent in the SA SSL VPN?
The SA dynamically creates the MAC address by using part of the user's session ID. When the user starts a new connection after having connected in the past, if the previous User Record is saved in the cache then the same MAC address will be created for that user in the DHCP packets sent to the DHCP server when the user starts a new session. If the user record is not in the cache then another unique User ID will be created for the new user record and so the MAC address in the DHCP packets could be different to the last time the user connected.
This is why the MAC is not guaranteed to be unique per user over a period of time and should not be used to unqiuely identify the clients on the DHCP server. This is why the article KB23018 - Requirement to enable DHCP requests to be sent to a QIP server.
advises DHCP admins to utilize the DHCP Option 61 Client Identifier field; if the DHCP server uses the MAC address then clinets could intermittently find they are not receiving an IP address for NC/Pulse, as per KB28908 - DHCP server is offering an IP address for a VPN Tunneling connection (Network Connect or Pulse Secure client) that is already assigned to another user