Users going to blocked sites were experiencing long delays, just over 80 seconds in having the exception render on the browser.
The customer was using the ident.username field in their deny exception page. This field is used in conjunction with Policy Substitution Realms (see Blue Coat Systems SGOS Administration Guide for more information on Policy Substitution Realms) and IDENT protocol to provide the username associated with a session as returned from an ident query. As a result the ProxySG was trying to contact the users workstation on port 113 in an attempt to retrieve the user name, however, this was being silently dropped by the firewall.
The ProxySG will make multiple attempts to connect on port 113 eventually timing out and then proceeding to display the denied exception page.
Removing the ident.username from the exception page resolved the issue, if this is not an option then getting the firewall to reset the connection or allowing traffic on port 113 to the workstations, will also help.