With Symantec Endpoint Protection (SEP), in a configuration meeting all of the below requirements large delays may be observed for ICMP traffic, or ping requests may appear to be blocked when they should be allowed according to the firewall rules.
Ping requests may time out, or (if the -w 20000 parameter is used to increase the ping command timeout) succeed after roughly 13000 milliseconds.
Removing the DNS server IP address from the IPS Exclusions resolves the problem.