Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

CSA Agent without Network Shim for server agents


I recently took over the management of the CSA MC that supports all the server agents with ver4.0.3. It has been tuned by many various people. I see that all the agents were installed "WITHOUT NETWORK SHIM".

Why? Does anyone know why the nework shim wouldn't be enabled on purpose? None of the servers have local firewall apps and we only run Cisco VPN. Also, I keep getting the messages:

The Network Shim is not installed/enabled on this agent, but the rules that apply to this agent require the network shim to be enabled. Functionality will be degraded until the network shim is installed. Details Rule 1990

Would this block any of my NAC rules from not being enabled due to this?



Re: CSA Agent without Network Shim for server agents

The shim provides the following capabilities:

Port scan detection

SYN flood detection

Malformed packet protection

Disabling the network shim does not stop network access control rules from running; it only stops the system hardening features from being active.

Best Practice is to use the network shim on Internet facing servers or systems that might be targeted by the above mentioned attacks.

It could have been installed without the network shim for a bunch of reasons. The ones I know about:

1. If you have teamed NICs on the servers there have been issues.

2. The most common reason is that the shim can conflict with other software that also uses shims, such as firewalls, VPN clients (non-Cisco), and other system agents.

Hope this helps and that others in this forum chime in with their experiences with using the shim.


Re: CSA Agent without Network Shim for server agents

Good answer Paul.

We had problems with the McAfee VirusScan 8 TDI shim conflicting with the CSA 4.0.X shim and we ended up disabling the McAfee shim.

Cisco made the shim mandatory in 4.5 and later.


CreatePlease to create content