Incidents are queuing up on the Detection server and not getting transfered to the Enforce server.

The errors that show up in the IncidentWriter log are:

One or more of the following:

<date and time> com.vontu.communication.dataflow.ShippingTask processErrorResponse
WARNING: Shipping Task(5231): The shipment was aborted because the receiving task timeout out!

and one of:

<date and time> com.vontu.logging.LocalLogWriter write
SEVERE: Error sending incident. Unexpected error occurred while sending an incident.
The shipment was aborted because the receiving task timeout out!
Look in the incident writer log for more information.

Relevant versions:  ALL

This is caused by a timeout in the transport of an incident from Detection server to the Enforce server.

• Stop the Monitor service and check the incidents folder (\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\incidents) for the oldest incident.
  • Take note of the size of the oldest incident and the size of newer incidents.
• Try copying the file directly to the Enforce server and back to the Detection server
  • Note the time it takes for the copy to finish both directions.
• If the copy to the Enforce server takes a lot longer than the copy back there may be an issue with the Ethernet Switch port connected to the Detection server.
  • If possible, have the port set to match the maximum capabilities of the server's NIC. 
  • If the Detection server's NIC is set to auto negotiate, change it to fixed speed and duplex settings.
• After the change, try copying the incident file again. If the file copies are close to the same speed, start the Monitor service and the incidents should clear out.

If changing the port and/or server NIC settings clears the problem, it is a rare problem with the Ethernet Switch port auto negotiate operation.