Users are seeing intermittent network performance issues: 

• Users are in the office connected via an IPsec VPN or any other VPN full tunnel configuration (backhauling traffic to headquarters)
• WSS Agent (WSSA) is in "Active" mode and connected to the Cloud SWG (WSS) service
• When the WSS Agent is disabled, then the network performance problem is resolved

WSS Agent

Third-party VPN client

The intermittent performance problem is caused due to encapsulating the data twice (2x).

When the VPN client is configured for "Full tunnel" mode and if the WSS Agent is in "Active" mode, then this creates a condition called double encapsulation.

This will cause slow performance due to TCP meltdown (the "tunnel in tunnel" problem): 

• Please see: Best practices for running the WSS Agent with a 3rd-party VPN client
  
  

Broadcom recommends forcing the WSS Agent to go in a "Passive" state when running with an active VPN client that is configured for "Full tunnel".

Users connected to a local area network (in the office) can be protected through a fixed-location Access Method such as an on-premises proxy, IPsec tunnel to WSS, or Explicit Proxy security solution.

See WSS Agent Connection Concepts: VPN Client Compatibility.

Note: A backhauled topology transports traffic between a remote site and the Internet via a centralized backbone, such as the headquarters of an organization.

It is not optimal to backhaul web traffic from long distances. Backhauling web traffic can create latency issues and slow down web page loading times. It is better to direct web traffic along the most direct route possible.

If backhauling is needed, the best configuration is to use a dedicated high-speed connection with low latency and high bandwidth. This will help ensure that web traffic is directed along the most direct route and reduce latency issues. Additionally, it is important to use a reliable and secure connection to protect web traffic from malicious attacks.