Users are seeing intermittent network performance issues

Users are in the office connected via an IPsec VPN or any other VPN full tunnel, backhauling Internet traffic to headquarters.

WSS Agent is on active mode and connected to WSS.

When the WSS Agent is disabled or removed. The network performance problem is resolved.

WSS Agent

Third-party VPN 

The intermittent performance problem is caused due to encapsulating the data twice (2).

The third-party IPsec tunnel acts as a full tunnel VPN, and when adding the WSS Agent (active mode) VPN client on top. It creates a condition called double encapsulation.

While this type of setup works, it can cause slow performance, therefore, slowdowns are expected.

Symantec recommends forcing the WSS Agent to go in a passive state when running an active corporate VPN full tunnel.

Users connected to a local area network (in the office) can be protected through a location-based such as an on-premises proxy, IPsec tunnel to WSS, or explicit security solution.

See WSS Agent Connection Concepts: VPN Client Compatibility.

Note: A backhauled topology transports traffic between a remote site and the Internet via a centralized backbone, such as the headquarters of an organization.

It is not optimal to backhaul web traffic from long distances. Backhauling web traffic can create latency issues and slow down web page loading times. It is better to direct web traffic along the most direct route possible.

If backhauling is needed, the best configuration is to use a dedicated high-speed connection with low latency and high bandwidth. This will help ensure that web traffic is directed along the most direct route and reduce latency issues. Additionally, it is important to use a reliable and secure connection to protect web traffic from malicious attacks.