UTM 9 & slow upload speeds

IE: Is there nothing left I should check on the firewall?  

Have you tried to disable IPS (then reboot or restart the httpd service)?

Yes.  Seen that in a post.  
- no QOS implemented
- the SSL/VPN users group (definition) is not part of the IPS.  (creating exceptions for does nothing of course)
- when downloading the IP is not mentioned in the firewall or IPS logs
- there is only one WAN interface defined (IE:  VPN, internet, etc go through the one WAN link)

Ironically we have a offsite backup site we use which can do 100Mbps and does no problem. Downloading from the internet has great speeds. 

So I'm a bit perplexed why this cap on the upload speed.  But I was brought into this setup 3 months ago with no prior IT admin.  The only thing I did not try was adding the SSL users group to the Advanced Threat Protection exception.  But this would imply that I see this in the logs, which I do not.

Can I assume that if I did a ssh / test internet speed that rules out all config issues in the GUI?   (the SSH download from the firewall bypasses all rules/IPS, etc.)

Open up a ssh session then run top while performing a speed test that usually results in slow throughput.  Observe which process (if any) has high cpu load.

Yep, done that.  It was just postgres (SQL), the same as usual.  

The only real test I didn't do was bypass the firewall all together.  I did call the ISP today to verify if they were not limiting VPN or a specific WAN IP, etc.  Obviously they were of no help, understood.  My assumption for this post was that by testing internet speed through SSH that it bypassed all rules and protection of the firewall?

That would be one of the first things to try so you can rule the UTM in or out first. I haven't heard about anything bypassing the firewall like SSH before.  

I didn't see it in your posts at all - is this a Sophos hardware appliance or do you have a different hardware device? If it is your own computer, what is the NIC you have installed?  (Please don't say Realtek, lol).

The setup is dual/redundant SG330.  The outside interface would be the ISP equipment and the inside is the Cisco network.

dual/redundant = HA mode, yes?  I would really try a connection not behind the UTM to make sure it's not your ISP.  They have been known to do stupid things like this.

Hi John and welcome to the UTM Community!

I like to set up the SSL VPN using UDP instead of TCP, but that's not practical for you at this point.

If you don't have a load balancer or other device between you and the ISP connection, try configuring an IPsec (L2TP/IPsec or pure IPsec) connection - any better throughput with that?

I suspect that you will find something in the SSL VPN log, but with that many users, you might need to access in the middle of the night to be able to see the problem.

If you haven't already done so, you will want to open a case with Sophos Support.  Since first level is usually from India, they should easily be able to do an SSL VPN session at 3 AM your time.

Cheers - Bob