The policy trace shows a timeout as the result of a deny action. This action is triggered by a country condition which applies to the OCS response.
Example error message: supplier.failures: "126.96.36.199|United States|timeout"
If you use the supplier.country=() condition with a deny action, the policy trace mechanism incorrectly reports the denial as a timeout.
For best security, Symantec recommends that you use the supplier.country=() condition for policy decisions that rely on post-connection data. To deny a connection based on geolocation, use the supplier.allowed_countries() property, which applies before the appliance attempts to connect to the OCS.
Symantec is aware of this issue and will update this document when a solution becomes available. It is not necessary to log a support case on this issue. Please subscribe to this article to be notified of any updates.
Use DOC10455 Content Policy Language Reference for reference and troubleshooting. Refer to section "supplier.country=" and section "supplier.allowed_countries()".