@ruhrscholz I’m really starting to lean this way myself. Finding something that supports IPv4/IPv6 payloads •and• transport with good support for both RADIUS and SAML is proving to be complicated enough without trying to rely on the narrow use cases that router manufacturers have built for. The Infrastructure VPN (site-to-site and machine-to-machine) options are great. Access VPNs? Not so much.

@ghostinthenet @ruhrscholz ASA (Well, firepower with ASA image) does all that with AnyConnect for remote access. Config once, runs forever. Been my go to solution for years. I did like IVE (Juniper MAG, nowadays PulseSecure, …) but their pricing is so skewed

@kajtzu @ruhrscholz The ASAv (which still seems to be current) has been my go-to option for a few customers, but it’s a bit of an investment for something that won’t be used as anything but an access VPN concentrator. I’d •really• like to find something I can run in a container for smaller installations, but that might be asking too much.

@ghostinthenet @ruhrscholz I’m happy with physical boxes ;) the1010 is priced very economically

@kajtzu @ruhrscholz We just rejected the FirePower 1010 units when Cisco told us that any software upgrades would require on-site visits. (I definitely have a preference for a software solution because of this sort of nonsense.) Admittedly, those were running ASA images. Do the FDM-managed ones get around this?

@ghostinthenet @ruhrscholz I’ve stayed away from FTD/FMC. On 1010, yes, it’s possible to go to FXOS but unless you’re troubleshooting something very deeply you’re never going to be there.

@kajtzu @ruhrscholz The problem we ran into was with software upgrades. We could go into FXOS to put the new image on, but it had no network access except through the (disconnected) management interface. When we talked to Cisco about it, they told us there was no way to do this without on-site resources.