SSL VPN (remote access) slow speeds

What is your current throughput, how do you measure it and what do you expect to have? 

Currently we have a 75Mbps symmetrical fibre internet connection. But users are only seeing half that (on a good day) or in many cases 1/4th that. I've tested with only me logged into the VPN and the issue is the same, so it doesn't seem to be an issue with to many users logged on at one given time.

As far as measuring it, I measure it by trying to download data off our file server behind the same network and Sophos firewall.

Are your tests wired or via WiFi?

Have you narrowed it down to VPN? E.g. you get full download speeds from the same server to a machine  inside the firewall? Do you have the ability to test speeds from outside of the firewall but not with VPN? How are those speeds, and what kind of packet loss or jitter are you seeing, if any?

Has something changed? I.e. was it working at expected speeds in the past, but then something changed in the firewall (new SFOS), the clients (new OS, new VPN client), or elsewhere?

Are your tests wired or via WiFi?

Have you narrowed it down to VPN? E.g. you get full download speeds from the same server to a machine  inside the firewall? Do you have the ability to test speeds from outside of the firewall but not with VPN? How are those speeds, and what kind of packet loss or jitter are you seeing, if any?

Has something changed? I.e. was it working at expected speeds in the past, but then something changed in the firewall (new SFOS), the clients (new OS, new VPN client), or elsewhere?

My tests are both over WiFi and a Wired connection.

I have narrowed it down to VPN. When I try using the internet connection natively (so not over a VPN connection) it works as expected. I've ran a speedtest and got 90Mbps down and 89Mbps up on a symmetrical fibre connection of 75Mbps. SO actually better than what I'm paying for. Ping was 3ms, and I'm not seeing any packet loss.

Nothing has changed as far as settings or what not. I mean I do the Sophos XG OS updates when I need to and all of that, but it's always been like this. It's just now I'm getting around to fixing it...lol. But It's always been like this, no SFOS or other update has made it better or worse that I can tell.

I don't know VPN well enough to help beyond this. Sounds like you truly have narrowed it down to VPN.

Do you have any DOS settings? I saw a posting where someone had DOS enabled and exempting the VPN range made a big improvement.

Are you using Sophos Connect? How old are the configs? 

There are some improvements of the throughput in V18.5 MR2 as well. 

What you can check as well: Get a PSCP (SCP tool) and download something big from the firewall directly (not a server). 

Check first via df -h the space 

XGS136_XN01_SFOS 19.0.0 EAP1-Build244# df -h
Filesystem Size Used Available Use% Mounted on
none 613.9M 1.6M 567.6M 0% /
none 3.9G 36.0K 3.9G 0% /dev
none 3.9G 19.9M 3.9G 1% /tmp
none 3.9G 14.7M 3.9G 0% /dev/shm
/dev/boot 127.7M 33.2M 91.8M 27% /boot
/dev/mapper/mountconf
560.3M 72.4M 483.9M 13% /conf
/dev/content 5.6G 644.8M 5.0G 11% /content
/dev/var 41.3G 15.3G 25.9G 37% /var

Check for /tmp/ 

Then upload a file via SCP to the firewall /tmp/ 

Check the throughput. Then download the same file from the /tmp/.

If this test is acceptable, it could be an issue in the network after the firewall. 

Most users are still on the older Sophos VPN client, but I did recently get everyone to update their VPN config files like a week or 2 ago now. Users on mobile use OpenVPN on both iOS and Android, and they too had to update the config for that.

I'm running the latest SFOS.

As far as the test you recommended I try. Sorry to sound like a novice, but how exactly am I to run that? Do I need to connect to the Firewall via command line? I just want to make sure I understand so I can give that a shot, as it is a good thing to try.

SCP is a protocol. You can access via SCP the firewall /tmp/ directory and up/download data. 

https://support.sophos.com/support/s/article/KB-000037007?language=en_US For example. 

So you can upload a data to the firewall and also download it. It would show if this is a acceptable speed and indicate a openVPN problem or a issue with your network / resources behind the firewall. 

In particular, SCP uses the credentials that you've set up for SSH access. to your firewall. So if you do have SSH credentials set up, SCP will magically work. If not, you'll need to set them up. And allow (perhaps only temporarily) SSH access from WAN if you're testing from outside of the firewall.

I read the link you sent and attempted to SSH into my firewall and run the packet capture. It seemed to do something, but honestly I'm still a little bit confused and don't think I really got anything out of it...which is probably my fault. Is there anything else I can try? Maybe I need to make an exception rule or something to allow a better data pass through via VPN? Maybe I should just call Sophos support and let them figure it out... lol

You checked that you are not using Denial of Service (DOS) settings that might affect the VPN? This is designed to limit fast traffic and is quite tricky to use.

I checked my DoS settings and it seems like all of them are off?  

Agreed, it looks like DOS isn't the problem. Just wanted to confirm, since you hadn't specifically mentioned having checked it.

I'm not sure which SSH comment you were referring to. Just wanted to make sure that my comment was only that in order for SCP to work -- i.e. for you to copy files directly to/from your firewall to test true network speeds, you need to have SSH set up, which it sounds like you do.

If I understand your testing, you've been inside the firewall and from your machine used Speed Test (or something like that) and you get the expected upload/download speeds to an external server. But if you are outside of the firewall and use the VPN and download files from one of your servers inside the firewall, you get slow speeds. Presumably, when your users report slow VPN speeds, they are doing something similar: from outside the firewall they're accessing resources inside the firewall.

Is it possible to run a speed test equivalent (say a wget or curl) from the server you tested your VPN with, connecting to something outside of your firewall? I.e. try to eliminate internal (non-VPN) traffic problems to/from that server from the outside world. It's possible that you've got internal issues that are really only seen by external machines and the only time you access internal machines externally is via VPN.

Also, what VPN client are you using? I use OpenVPN and you can click on the icon in the upper right to view the logs. Are there any weird things happening in the logs?

This shouldn't make a difference, but have you tried TCP? Your original screen capture shows you're using UDP. As it says, UDP could be faster, but it seems to me if you try TCP temporarily and it makes a difference that's a major clue as to what might be wrong. If you try it and nothing different happens, oh well.

Also, have you tried the Enable Debug Mode (bottom of your original screen capture) checkbox to see if you get any extra information?