Secure Client will ALWAYS attempt a TLS connection first.  Once the TLS connection is up it will then concurrently attempt to form a DTLS connection and change over.  If the DTLS connection fails, it will stay using the TLS connection. This way the user is guaranteed to get a client VPN connection.   The questoin is then - what is causing the DTLS connection to fail.  What kind of CPE are you connection from behind of?  Have you checked them for firmware updates?   What happens if you use a different internet connection, such as mobile? ... View more

On an MX65 that I used as a spoke on the corporate SD-WAN with split tunnelling, I got 100Mb/s throughput to the datacentre, but 250Mb/s to the internet.  Therefore I'd expect you'd get 300Mb/s over the VPN and 500Mb/s to the internet...  I can't test now as I have moved and only have an 80Mb/s connection... 🙄 ... View more