If you have TrustedSource enabled and for some reason you cannot reach the TS servers you will use the Default reputation (which is set on the TrustedSource page in the GUI). If your default reputation is higher than the threshold for what your rule will pass, you will Deny traffic. You will not see a 'TrustedSource' deny message (because they don't exist). Geolocation Deny messages do not exist either; they are all 'ACL Deny' message ($> acat -e "event AUDIT_R_ACLDENY").
If you cannot reach the TS servers you will see an audit message that says something like 'Unable to query TS servers; going to default reputation for 300 seconds.' I believe you can see these audits with this audit filter:
$> acat -e "area TrustedSource and type software_failure" | less
There is no way to figure out why you couldn't reach the TS servers, though, if that actually happened.
I have exactly the same problem, I have a call logged with McAfee Support. It happened recently after rebooting the active firewall and the standby took over but all the Trusted Source enabled rules stopped working, all other traffic was fine.
I've had it before in the past but never resolved the issue. The firewall can contact the TrustedSource Internet server fine, resolve name, ping etc, problem even happens when the firewall is idle. Failing over (rebooting the firewalls) doesn't help either, have to switch off TrustedSource on the rules before the rules start working again. When I had it before internet access became slow and some (not all) remote sites couldn't access the hosted servers, disable Trusted Source as a workaround, hoping the cause is identified soon.
*** UPDATE ***
I applied e-patch E97 which apparently fixes various trusted source issues, but still got the same problem.