@ruhrscholz I’m really starting to lean this way myself. Finding something that supports IPv4/IPv6 payloads •and• transport with good support for both RADIUS and SAML is proving to be complicated enough without trying to rely on the narrow use cases that router manufacturers have built for. The Infrastructure VPN (site-to-site and machine-to-machine) options are great. Access VPNs? Not so much.

@ghostinthenet @ruhrscholz ASA (Well, firepower with ASA image) does all that with AnyConnect for remote access. Config once, runs forever. Been my go to solution for years. I did like IVE (Juniper MAG, nowadays PulseSecure, …) but their pricing is so skewed

@kajtzu @ruhrscholz The ASAv (which still seems to be current) has been my go-to option for a few customers, but it’s a bit of an investment for something that won’t be used as anything but an access VPN concentrator. I’d •really• like to find something I can run in a container for smaller installations, but that might be asking too much.

@ghostinthenet @ruhrscholz I’m happy with physical boxes ;) the1010 is priced very economically

@kajtzu @ruhrscholz We just rejected the FirePower 1010 units when Cisco told us that any software upgrades would require on-site visits. (I definitely have a preference for a software solution because of this sort of nonsense.) Admittedly, those were running ASA images. Do the FDM-managed ones get around this?

@ghostinthenet @ruhrscholz I’ve stayed away from FTD/FMC. On 1010, yes, it’s possible to go to FXOS but unless you’re troubleshooting something very deeply you’re never going to be there.

@kajtzu @ruhrscholz The problem we ran into was with software upgrades. We could go into FXOS to put the new image on, but it had no network access except through the (disconnected) management interface. When we talked to Cisco about it, they told us there was no way to do this without on-site resources.

@ghostinthenet @ruhrscholz you can upgrade from within the ASA image, I don’t think I’ve ever had to install from FXOS and I’ve used firepower since it shipped… I have a recollection the one had to do something weird in the very first version but since then nothing special

@kajtzu @ruhrscholz Hm. Will have to investigate that one further. No image showed up on disk0: from the ASA 9.16 CLI or ASDM and TAC told us it had to be done from the FXOS CLI. I suspect I’m missing a piece of this puzzle.

@ghostinthenet @ruhrscholz my European firepowers must have missed this memo completely…I have plenty to go around and they’re completely happy ;)

@kajtzu @ruhrscholz I suspect the platform vs appliance mode may be the missing piece. One would have thought the TAC rep would have considered that. (The fact that I had to tell him that the 1010 could run the ASA image natively probably should have been my first red flag.)

@ghostinthenet @ruhrscholz the ASA image on 1010 works so that the boot loader loads FXOS on boot, it initializes the hardware and whatnot, then it starts the ASA image as a separate process and the interfaces and control are handed over