CPU never goes above 20%

It's certainly not the nature of the users as they are constantly complaining about performance, there is no split tunnel so all traffic goes over the VPN tunnel.

If router's CPU doesn't exceed 20%, than likely the bottleneck isn't the router.

Again, lots of variables impact performance, more than just available bandwidth. Across WAN, a very important variable is latency. Unfortunately, not much you can do about distance based latency, except perhaps avoiding in, in some cases, with local side caching.

Another important variable, when using TCP, is a properly sized receive window. Too small, TCP won't take advantage of all the available bandwidth. Too big, TCP can burst over end-to-end capacity resulting in many drops, which often can degrade the throughput so much, path bandwidth utilization will be under utilized.

In your topology, you also have two FWs and a proxy that might be issues too.

 

I'll have to edit the config to hide data as it's a govt customer so need to be careful around disclosing info.

 

I'm more concerned that a new windows RRAS solution is being put in using SSTP on the basis this will solve all the issues and I'm worried that the issue isn't with the 4431 so it won't be resolved.

 

Q - Is there a way of displaying the IPSEC throughput or bandwidth usage? even if it's just a real time display / command.

Q - Am I correct in thinking that this router with these licences should be capable of 1Gbps IPSEC throuhput and if so is that shared across the interfaces so that the inside and outside interfaces will effectively handle 500Mbps each or have 1Gbps each?

"Q - Is there a way of displaying the IPSEC throughput or bandwidth usage? even if it's just a real time display / command."

Show interface will show average bandwidth usage, in and out, over the interface's load-interval (which defaults to 5 minutes, but can be set as low as 30 seconds. SNMP monitoring can poll usage to much smaller intervals.

"Q - Am I correct in thinking that this router with these licences should be capable of 1Gbps IPSEC throuhput and if so is that shared across the interfaces so that the inside and outside interfaces will effectively handle 500Mbps each or have 1Gbps each?"

That or a tad less. I recall (?) some 3rd party performance tests, on the 4K series of ISRs showed some that could not provide 100% of router's rated maximum capacity for IP when using IPSec, but loss wasn't much.

I understand performance cap is an aggregate of all traffic passing through router. I.e. if, for example, the gig limit should allow an aggregate maximum of gig across active egress ports; such a 400 and 600 Mbps egress on two ports or 200, 300 and 500 Mbps egress on three ports, etc. (What I'm not sure is whether the aggregate can be higher for all ingress, or egress, if something like port ACLs is dropping some of that traffic. I suspect higher might be allowed for ingress but not egress.)