That's interesting. I would have assumed DNS, but it sounds like you already checked that on the DNS option. 20 seconds sounds like a TCP timeout, but I'm at a loss to explain why it would use v6 at all if the client is speaking v4 and you are forcing v4 for DNS. It really sounds like MWG is trying to do v6 to the server for some reason.
Have you done a tcpdump? I'm most curious about the DNS lookup from MWG and then if there is an attempted connection over v6.
I have run dnslookup and there is no IPv6 address for the destination server. Our client does not have IPv6-protocol installed.
I have done several tcpdumps, and there are only IPv6 communication to our Reverse Proxy ports. No IPv6 DNS Lookups.
It looks like a bug.
I tested ping against MWG with Don't Fragment bit enabled and this is the result:
ping -f -l 1256 mwgipaddress MWG responded OK
ping -f -l 1257 mwgipaddress MWG no answer. This is not OK!!!
ping -f -l 1472 mwgipaddress MWG no anser. This is not OK!!!
ping -f -l 1473 mwgipaddress Packet too big. This is OK.
With help from McAfee support, I changed MTU on IPv6 from 1280 to 1500 and the IPv4 Proxy MSS from 0 to 1412 (We are using WCCP, so we had to lower it).
Now MWG answer OK (ping -f -l 1472 mwgipaddress)
No delays anymore. Problem solved!