It's a known issue that, due to Vyatta cruft while building firewall policies, the initial loading of zone-based firewall policies takes a long time. The transition from Sys-V to systemd has brought with it a startup timeout of 5 minutes to vyatta-router.service:
TimeoutSec=5min
In order for this service to have time to fully come up under non-ideal conditions, e.g. zone-based firewalls and/or less powerful hardware, this value should probably be increased to 15 minutes or more:
TimeoutSec=20min
Obviously on systems with simple policies no actual time will be added to the startup process, but on others with more complex policies there will be enough time allotted to allow the service to fully start.