SSL VPN (remote access) slow speeds

You checked that you are not using Denial of Service (DOS) settings that might affect the VPN? This is designed to limit fast traffic and is quite tricky to use.

I checked my DoS settings and it seems like all of them are off?  

Agreed, it looks like DOS isn't the problem. Just wanted to confirm, since you hadn't specifically mentioned having checked it.

I'm not sure which SSH comment you were referring to. Just wanted to make sure that my comment was only that in order for SCP to work -- i.e. for you to copy files directly to/from your firewall to test true network speeds, you need to have SSH set up, which it sounds like you do.

If I understand your testing, you've been inside the firewall and from your machine used Speed Test (or something like that) and you get the expected upload/download speeds to an external server. But if you are outside of the firewall and use the VPN and download files from one of your servers inside the firewall, you get slow speeds. Presumably, when your users report slow VPN speeds, they are doing something similar: from outside the firewall they're accessing resources inside the firewall.

Is it possible to run a speed test equivalent (say a wget or curl) from the server you tested your VPN with, connecting to something outside of your firewall? I.e. try to eliminate internal (non-VPN) traffic problems to/from that server from the outside world. It's possible that you've got internal issues that are really only seen by external machines and the only time you access internal machines externally is via VPN.

Also, what VPN client are you using? I use OpenVPN and you can click on the icon in the upper right to view the logs. Are there any weird things happening in the logs?

This shouldn't make a difference, but have you tried TCP? Your original screen capture shows you're using UDP. As it says, UDP could be faster, but it seems to me if you try TCP temporarily and it makes a difference that's a major clue as to what might be wrong. If you try it and nothing different happens, oh well.

Also, have you tried the Enable Debug Mode (bottom of your original screen capture) checkbox to see if you get any extra information?

Thanks for the long response Wayne! I'll try to answer your questions as best as I can

SSH is setup on our firewall, and I'm able to log into it. I run macOS so I use Terminal for SSH. I tried the SCP thing but got confused. I don't understand how I'm supposed to download a file to the actual firewall. It's very confusing to me (networking isn't my strong suite...if that isn't becoming clear lol)

The way I run Speed Tests is I connect to the VPN, then I connect to our Windows Server machine via Remote Desktop and run it on there. This shows me the results for anything on the local network. But the really doesn't help me because the issue isn't with using the firewall locally, but over VPN. As far as running a Speed Test over VPN I'm not sure how I can do that currently. I have tunnel access turned off for the VPN as this allows our users to use their home ISP for most things they do and only use the VPN when they need something from our file servers. If I turn tunnel access on, then all traffic will be routed through the VPN and that will lead to issues. Is there a way to run a Speed Test in the way I currently have the VPN configured?

We use a number of different VPN clients depending on the device the person is using. For Windows we use the official Sophos VPN client (the older one, not the newer one). For iOS and Android we use OpenVPN, and for macOS we use Tunnelblick.
I have checked logs before and nothing seems out of the ordinary that I could tell.

I have not tried TCP. A big problem with trying to fix this during business hours is that any time I make a change to the VPN everyone in the company needs to download a new VPN configuration profile.

I've not tried enabling the debug mode, not exactly sure what that'll do if I'm being honest.

Just to make sure, all VPN clients are experiencing the issue? A variety of hardware and a variety of clients begins to eliminate clients as an issue. It could still boil down to your client VPN configuration which might cause them to negotiate a connection that's slow for some reason, of course.

I hear you on switch to TCP throwing everyone off. I have not used the Debug Mode, but the documentation says it records more stuff in the VPN Log. Not sure what that means.

Just to make sure, when you say "checked the logs" you are talking about the VPN client logs, not the Sophos logs. I think mine show various start-up configuration negotiations so I was thinking if any unexpected settings are seen it could trigger some thought.

OK, so you're doing a split VPN. Not sure if that  might give someone who really knows this stuff a clue. I always avoid split: work VPNs force you to VPN-only, and my personal use is to enhance my on-the-road security by routing all traffic through the firewall. (I actually can't access anything behind the firewall from the VPN, just the WAN.)

All clients are experiencing the issue, yes!
I've checked the logs of some of the clients and also the Sophos firewall as well. Nothing seemed odd.

Yes I'm running in split. I'd actually prefer it not to be that way, but my company makes mobile game apps and as such everyone at the company plays games and watches YouTube and forgets the VPN is on. So when we had it running with split off, we found that people would be downloading Steam game updates and playing online and doing a bunch of tasks like that. It became a massive issue with bandwidth so we turned on split to fix that (which it has). I can't recall if the VPN was faster before we turned split on...it's been on for the better part of 2 years now..if not longer.

I don't know enough to know if a split setup could lead to some weirdnesses like DNS lookups going to the internet first, timing out, then going to the VPN (or something) that could cause certain delays. That would seem to only occur at key instantiation times and then transfers would run rapidly. But I feel like the split might be an issue that might not have been noticed immediately -- since you went from TONS of traffic to way less.

VPN is fast enough for me, though I'm usually speed-limited to where the ISP where I'm coming from and that's way slower than my ISP so it's hard to say if it's fast or slow: it's always slower than the speed I know my XGS sees immediately upstream and downstream, and therefore the speed I have from inside the firewall.

On another note, I can VPN from inside my firewall to my firewall -- set it up with that permission to test setups. Then again, that's tunneled, not split so I don't know how well that would work for you. But just trying to say if you could VPN in from a location where you know that the bandwidth/reliability is there, it would be interesting to compare to what users are experiencing.