Juniper Mist AI-Native Operations Guide

Published

2024-05-16
 ii

Juniper Networks, Inc.

1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks, service marks, registered marks, or registered service
marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.

Juniper Mist AI-Native Operations Guide

Copyright © 2024 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use
with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License
Agreement ("EULA") posted at https://support.juniper.net/support/eula/. By downloading, installing or using such
software, you agree to the terms and conditions of that EULA.
 iii

Table of Contents

1 Get Started with AI Ops

AI-Native Operations Overview | 2

Explainable AI | 3

Requirements | 6

AIOps in Action | 8

Explore Further | 16

2 Insights
Insights Overview | 18

Insights: Site Events | 22

Insights: Client Events | 24

Insights: Applications | 29

Meeting Insights and Meeting Details | 31

Insights: Network Servers | 35

Insights: Pre-Connection and Post-Connection | 36

Insights: Current Values | 38

3 Service Level Expectations

Service Level Expectations (SLE) | 41

Wireless SLEs Overview | 50

Time to Connect SLE | 52

Wireless Successful Connects SLE | 54

Coverage SLE | 56

Roaming SLE | 58

Wireless Throughput SLE | 59

 iv

Capacity SLE | 61

AP Health SLE | 63

Wired SLEs | 65

Wired Throughput SLE | 66

Wired Successful Connect SLE | 68

Switch Health SLE | 70

Switch Bandwidth SLE | 71

WAN SLEs | 73

WAN Edge Health SLE | 74

WAN Link Health SLE | 76

WAN Application Health SLE | 78

4 Alerts
Alerts Overview | 81

Juniper Mist Alert Types | 85

Configure Alerts and Email Notifications | 93

5 Get Started with Marvis

Marvis Virtual Network Assistant Overview | 98

Subscriptions for Marvis | 99

6 Marvis Actions
Marvis Actions Overview | 102

Subscription Requirements for Marvis Actions | 106

Layer 1 Actions | 109

Connectivity Actions | 111

AP Actions | 118

Switch Actions | 125

 v

WAN Edge Actions | 133

Data Center/Application Actions | 136

Persistent Failures | 138

Anomaly Detection Event Card | 139

7 Marvis Minis
Marvis Minis Overview | 143

What Is Marvis Minis? | 143

Software Requirements | 144

Subscriptions for Marvis Minis | 144

Marvis Minis Tests | 144

Marvis Minis Validation Frequency | 148

Marvis Actions for Marvis Minis | 150

Marvis Minis Dashboard Overview | 151

Add Custom URLs for Marvis Minis Validation | 156

Exclude VLANs from Marvis Minis Validation | 157

Disable Marvis Minis | 158

Network and Application Monitoring with Marvis Minis | 159

View the Marvis Minis Timeline in the Successful Connect SLE | 160

View Site Insights for Marvis Minis | 161

View System Events for Marvis Minis | 161

8 Conversations and Queries

Marvis Conversations and Queries Overview | 164

Marvis Conversational Assistant | 164

Marvis Query Language | 168

Troubleshoot Using Marvis Query Language | 171

Client Roaming Visualization | 178

 vi

9 Marvis Android Client

Marvis Android Client Overview | 185

Install the Marvis Android Client | 187

Requirements | 187

Before You Begin | 188

Deploy the Marvis Client Using the SOTI MDM | 189

Deploy the Marvis Client Using AirWatch or VMWare Workspace ONE | 190

Deploy Marvis Client Using Other MDMs | 191

Install Through Sideloading | 192

Verify the Installation | 194

Marvis-Zebra Integration | 195

10 Marvis App for Teams

Overview of the Marvis App for Microsoft Teams | 200

Enable or Integrate the Marvis App in Microsoft Teams | 200

Enable the Marvis App in Your Teams Environment | 201

Add the Permission Policy for the Marvis App | 202

Assign the Policy to Users | 202

Install the Marvis App in Microsoft Teams | 203

Install the Marvis App in Teams | 203

Connect to Your Mist Organization | 205

Add the Marvis App to a Microsoft Teams Channel | 209

Troubleshoot Using the Marvis App | 211

Troubleshoot a Wireless Client | 212

Troubleshoot a Wired Client | 213

Troubleshoot a Device | 213

Troubleshoot Unhappy Devices or Clients | 215

 vii

Troubleshoot a Site | 217

Search and List Functions in the Marvis App | 219

View or Change the Organization in the Marvis App | 223

11 Troubleshooting Examples
Troubleshooting Wireless Connectivity Issues | 228

Troubleshoot Specific Connectivity Issues by Using the Marvis Conversational

Assistant | 233

Troubleshoot Authorization Failures | 234

Troubleshoot DHCP Issues | 242

Troubleshoot PSK Failures | 245

Troubleshoot RADIUS Authentication Failures | 248

Troubleshoot a Device or Site by Using APIs | 251

1 CHAPTER

Get Started with AI Ops

AI-Native Operations Overview | 2

Explainable AI | 3

Requirements | 6

AIOps in Action | 8

Explore Further | 16
 2

AI-Native Operations Overview

SUMMARY IN THIS SECTION

This topic introduces the benefits of the AI-native 10-Minute Troubleshooting Video
operations features in your Juniper Mist™ portal. Demo | 2

Dashboards | 2

Marvis | 3

If your job involves troubleshooting problems, investigating user complaints, or tracking network
performance, you’ll find that all these tasks become easier with the AI-native operations (AIOps)
features in your Juniper Mist portal.

AIOps is embedded into Juniper Mist, enabling your IT operations team to stay on top of and manage all
the complexity of your distributed networks. Mist AI applies big data, analytics, and machine learning
capabilities to intelligently sift through network information to pinpoint events and recognize patterns
that indicate potential issues. Mist AI can also diagnose the root cause of an issue and recommend
action.

These features shorten the time spent on troubleshooting and empower you to take proactive actions to
ensure positive user experiences. No more guessing about the scope of an incident. No more needle-in-
a-haystack searches through log files to identify root causes. No more struggling to reproduce issues so
that you can capture packets.

10-Minute Troubleshooting Video Demo

In this demo, you see how you can use the Monitor page, Marvis actions, and the Marvis query language
for troubleshooting.

Video: 10-Minute Troubleshooting

Dashboards

With the Juniper Mist dashboards, you’ll see:

 3

• Success/failure indicators that you can interpret at a glance

• Visualizations that show exactly when and where an issue originated

• Packet captures for every incident

• Root-cause analysis

And even better, you can discover many issues before they have an impact. With the Service Level
Expectations dashboards, you can quickly spot any conditions that don’t meet your expectations. Take
action before incidents occur.

Marvis

If you have a Marvis Virtual Network Assistant subscription, you also get:

• AI-recommended actions to improve network performance and user experiences

• Conversational support with issue identification and troubleshooting

• Robust query language for more structured inquiries

• Proactive identification of potential issues

Explainable AI

SUMMARY IN THIS SECTION

Get familiar with the AI technology behind the AI Technology and Juniper Mist | 4
Juniper Mist™ features. Natural Language Processing and the Marvis
Virtual Network Assistant | 4

Mutual Information and Juniper Mist SLE

Metrics | 5

Reinforcement Learning and Juniper Mist

Radio Resource Management | 5

Decision Trees and Issue Detection | 5

 4

Keep Learning | 6

AI Technology and Juniper Mist

Here's a quick introduction to the AI technology that powers Juniper Mist.

Video:

Key concepts:

• Mutual Information

• Decision Tree

• LSTM (Long Short-Term Memory) Networks

• Reinforcement Learning

Natural Language Processing and the Marvis Virtual Network Assistant

Natural Language Processing (NLP) is used to help power your human language engagements with
Marvis (the AI engine) when asking about network health, troubleshooting, or when taking corrective
actions.

Video:

Key concepts:

• NLP

• AIOps (AI for IT Operations)

• Tokenization

• Featurization

• Sentence Encoded Vectors

• Embedding Models
 5

• Transfer Learning

Mutual Information and Juniper Mist SLE Metrics

Mutual Information is used to figure out which network features are having the most impact on the
failure or success of your SLE (Service Level Expectation) metrics and services.

Video:

Key concepts:

• Mutual Information

• Pearson Correlation

• Entropy

Reinforcement Learning and Juniper Mist Radio Resource Management

Reinforcement Learning is used to intelligently and dynamically optimize RF (Radio Frequency) in real
time for the best Wi-Fi coverage, capacity, and connectivity possible. This is a far superior approach to
the use of manual setttings or traditional fixed algorithms and is totally custom on a per site basis.

Video:

Key concepts:

• Reinforcement Learning

• Value Function

• Future Rewards

Decision Trees and Issue Detection

Decision Trees are used to identify common network issues like faulty cables, access point and switch
health, and wireless coverage. This is a form of supervised learning and can be used to isolate faults.
 6

Video:

Key concepts:

• Decision Trees

• Random Forest

• Gradient Boosting

• XGBoost

• Gini Impurity

• Information Gain

Keep Learning

To learn more, go to this resource on Juniper.net: What is explainable AI, or XAI?

Requirements

SUMMARY IN THIS SECTION

Your access depends on your role in the Juniper User Role | 6

Mist™ portal and the subscriptions that you've Subscriptions | 7
activated for your organization.

User Role

The following user roles can access monitoring information in the Juniper Mist portal:

• Super User

• Network Admin

• Observer
 7

• Helpdesk

• Super Observer

NOTE: For information about configuring user roles, see the Juniper Mist Management Guide.

Subscriptions

Your subscriptions determine the features that are available to you in the Juniper Mist portal.

• Base Subscription—With the base subscription, you can:

• View AI-native insights and easy-to-interpret graphs for site events, client events, AP events, and
more.

• Configure alerts to get notified when events happen in your Juniper Mist organization.

• With a subscription for Wireless Assurance, Wired Assurance, or WAN Assurance, you can
monitor service levels and investigate issues impacting user experiences.

• Marvis Virtual Network Assistant Subscription—With a Marvis Virtual Network Assistant

subscription, you can:

• Chat with your conversational network assistant to ask questions and troubleshoot issues.

• Submit structured queries using Marvis Query Language.

• View the Marvis Actions page, which identifies issues, presents a root cause analysis, and
recommends actions.

• Use the Marvis Windows and Android client.

• Integrate Juniper Mist with apps such as Microsoft Teams, ChatGPT, Zoom, and more.
 8

AIOps in Action

SUMMARY IN THIS SECTION

Gain a deeper understanding of AI-native operations
by exploring examples of proactive and reactive
troubleshooting with the Marvis Action dashboard,
Service Level Expectations, and the Marvis
conversational assistant.
Starting the Day with the Marvis Actions
Dashboard | 8
Troubleshooting Low Service Levels | 10
Getting Help from the Marvis Conversational
Assistant | 13

Let’s see how Oscar, an operations lead, uses the Juniper Mist portal to anticipate and respond to issues
during a typical day.

NOTE: As you read about Oscar’s experiences, you’ll get a high-level introduction to many
features in the Juniper Mist portal. You’ll get more in-depth information later in this guide.

Starting the Day with the Marvis Actions Dashboard

Oscar always starts his day by looking at the Marvis Actions dashboard. On this dashboard, Marvis
identifies actions that can improve the user experience. By following through on these
recommendations, Oscar can address issues before users report an impact.

NOTE: To find the Actions dashboard, select Marvis > Marvis Actions from the left menu of the
Juniper Mist portal.

Today Oscar notices eight issues with APs. With one click, he sees a high-level root cause analysis: five
are offline, one failed its health check, and one has a coverage hole.
 9

He clicks the Coverage Hole item. At the bottom of the page, Marvis shows him where and when the
issue occurred. Marvis also provides a recommendation to resolve the issue.

Oscar clicks to view more information. For this type of issue, Marvis displays the floorplan. Oscar sees
exactly where this AP is located. With this information, he understands the issue and the impact and can
follow through to ensure adequate coverage.
 10

Marvis Actions Video Demo

In this video demo, Marvis recommends actions for bad signal strength.

Video:

Troubleshooting Low Service Levels

Next, Oscar turns to the Service Level dashboards. These dashboards show successes and failures for
critical factors (SLEs) that can impact user experiences.

On the Wireless dashboard, color coding draws Oscar’s attention to a low SLE for coverage. On the left
side, he sees the overall success rate for each service level. Coverage has only a 67 percent success rate.
On the right side of the page, Oscar sees a high-level root cause analysis (on the right). Of the
unsuccessful user experiences, 90 percent are due to weak signal.
 11

Oscar clicks to take a closer look. On the Root Cause Analysis page, he clicks Weak Signal to view more
information. He can see that 77 percent of users and 88 percent of APs are having signal issues.
 12

By using the tabs in the lower half of the screen, Oscar can get a complete view of the scope of impact:

• Timeline—When did the issues occur?

• Distribution—Where in the network did the issues occur?

• Affected Items—Which users, devices, and applications were involved?

• Location—Where are the floorplan did the issues occur?

SLEs Video Demo

This video demo shows how to troubleshoot low SLEs for WAN issues.

Video:
 13

Getting Help from the Marvis Conversational Assistant

After lunch, Oscar bumps into a colleague, Roberta, who mentions that she had a bad Microsoft Teams
call that morning. Oscar decides to get help from Marvis by using the chat feature. He clicks the Marvis
icon at the bottom left corner of the screen.

In the pop-up window, he enters: troubleshoot teams.

As Marvis asks guiding questions and Oscar replies, Marvis provides a list of recent Teams calls.
 14

Oscar clicks a call to view additional information.

Marvis shows that there was an issue on the Wired network. From here, Oscar can click to view
additional information.
 15

Marvis Conversational Assistant Video Demo

In this video demo, Marvis helps to troubleshoot an issue with Microsoft Teams.

Video:

NOTE: You also can enter structured queries by using the Marvis Query Language. For more
information, see "Marvis Query Language" on page 168.
 16

Explore Further

SUMMARY

Explore additional information to understand the full scope of features available to you through the
Monitor and Marvis menus in the Juniper Mist™ portal.

Now that you've learned a bit about AI Ops, start exploring the Monitor and Marvis menus and
dashboards in the Juniper Mist™ portal.

• Service Levels—To get started with Service Levels, see:

• "Insights Overview" on page 18

• "Service Level Expectations (SLE)" on page 41

• Alerts—To get started with Alerts, see "Alerts Overview" on page 81.

• Marvis—To get started with Marvis, see: "Marvis Virtual Network Assistant Overview" on page 98.
2 CHAPTER

Insights

Insights Overview | 18

Insights: Site Events | 22

Insights: Client Events | 24

Insights: Applications | 29

Meeting Insights and Meeting Details | 31

Insights: Network Servers | 35

Insights: Pre-Connection and Post-Connection | 36

Insights: Current Values | 38

 18

Insights Overview

SUMMARY IN THIS SECTION

Get familiar with the major features of the Insights What Data Are Used for Insights? | 18
dashboard. Finding the Insights Dashboard | 19

Selecting the Context and Time Period | 19

Refresh Button | 20

Map Image | 20

Insights Timeline | 21

Using the Insights Dashboard | 21

The Insights page provides useful information about current conditions. Use this information to correct
issues, make changes, and ensure a good network experience for your users.

What Data Are Used for Insights?

• Telemetry data from:

• Juniper wired switche

• Edge devices supported by Juniper Mist WAN Assuranc

• Juniper Mist Edge device

• Time to connect data from wireless client

• Coverage, roaming, and throughput data from access points

• Throughput data for network applications.

• Dwell time and other location data from Bluetooth Low Energy (BLE) tags

Use these insights to correct issues, make changes, and ensure a good network experience for your
users.
 19

Finding the Insights Dashboard

To view the Insights dashboard, select Monitor > Service Levels from the left menu of the Juniper Mist
portal. Then click the Insights button at the top of the Monitor page.

Selecting the Context and Time Period

At the top of the Monitor page, click the Site drop-down arrow to see the context options. You can
select an entire site or a single device or client.

Click the Today drop-down menu to select a time period, such the last 60 minutes, the last 7 days, or a
date range.
 20

NOTE: The Monitor page displays data as recent as the past 60 minutes or as far back as the last
7 days. If you purchase a Premium Analytics subscription, you can access up to 3 years' worth of
wireless network insights and other data. To access the information available through your
Premium Analytics subscription, select Analytics > Premium Analytics from the left menu of the
portal.

Refresh Button

To see the latest available data, click the Refresh button at the top-right corner of the Insights page.

Map Image

The image at the top of the page represents the physical location of the selected site or device
(depending on the selected context).

• If you selected a site, the map shows the geographic location of the site.

• If you selected an access point, the map shows the AP on the site floorplan.

NOTE: If you have not set up a floorplan for your site, the map will be blank. You'll see a grey
block with the site name overlayed in white text.
 21

Insights Timeline

Directly below the map, the timeline shows the data rate across the selected time period. You can drag
your mouse across the graph to select a time period to zoom in on. Other sections of the dashboard
refresh to show the data for the zoomed-in area of the timeline.

NOTE: The timeline selection doesn't affect the Current Values section of the dashboard. This
section always shows current data.

Using the Insights Dashboard

For help using the various sections of the Insights dashboard, explore the other topics in this chapter.
 22

Insights: Site Events

SUMMARY IN THIS SECTION

Investigate issues affecting site-assigned APs and Selecting the Site Event Types | 23
RADIUS, DHCP, and DNS servers. Viewing Additional Information | 23

You can use the Insights dashboard to view Site Events.

NOTE: To find the Insights dashboard, select Monitor > Service Levels from the left menu of the
Juniper Mist portal, and then click the Insights button. To get started with the Insights dashboard,
see "Insights Overview" on page 18.

Site Events appears on the Insights dashboard when a site or access point is selected from the context
menu at the top of the Monitor page.
 23

Selecting the Site Event Types

To select the events to include, click the settings button at the top-right corner of the Site Events
section.

In the Site Filter pop-up window, select or clear the check boxes to show or hide the events based on
their status: Resolved or Acknowledged.

Viewing Additional Information

The Site Events list provides access to more information. Click an event to see a summary on the right
side of the page, as shown in the following example.

The summary includes these features:

• Device Link—For events involving APs, the device name appears in the summary with a hyperlink.
Click the link to go to the Access Points page.

• Details Link—Click Details to view full event details. The Events page lists the impacted devices and
the contributing events. For certain events, an impact map might be available as well.

Here's an example of the event details page for a DHCP server event.
 24

Insights: Client Events

SUMMARY IN THIS SECTION

Investigate issues affecting wireless clients, such as Selecting the Client Event Types | 25
cell phones and laptop computers. Viewing Additional Information | 29

You can use the Insights dashboard to view Client Events.

NOTE: To find the Insights dashboard, select Monitor > Service Levels from the left menu of the
Juniper Mist portal, and then click the Insights button. To get started with the Insights dashboard,
see "Insights Overview" on page 18.
 25

Client Events appears on the Insights dashboard when a site, AP, or client is selected from the context
menu at the top of the Monitor page.

Selecting the Client Event Types

To select the event types to include, click the settings button at the top-right corner of the Client Events
section.

In the Event Filter pop-up window, select or clear the check boxes to show or hide the events. Click OK
to save your settings.
26

Table 1: Client Event Types
Positive Client Events
• 11r Association
• 11r FBT Success
• 11r Reassociation
• 11r Roam
• Association
• Authentication
• Authorization & Association
• Authorization & Reassociation
• Client Joined Call
• Client Left Call
• DHCP Success
• DHCPv6 Success
• DNS Success
• Gateway ARP Success
• MAC Auth Success
• NAC Client Access Allowed
• NAC Client Certificate
Validation Success
• NAC IDP Authentication
Success
• NAC IDP Group Lookup Success
• NAC IDP User Lookup Success
• NAC MDM Lookup Success
Neutral Client Events
• 802.11 Auth Denied
• AP Deauthentication
• Exclude Client Inactivity
• Client Deauthentication
• Client Roamed Away
• DHCP Inform Timed Out
• Disassociation
• Exclude Client Leaving BSS
• Local Support Page
• Portal Redirection Processed
• SA Query Timed Out
27
Negative Client Events
• 11r Auth Failure
• 11r FBT Failure
• 11r Key Lookup Failure
• AirWatch Failure: Not Enrolled
• ARP Timed Out
• Association Failure
• Authorization Failure
• Bad IP Assigned
• Blocked: Policy Lookup Failure
• Blocked: Repeated
Authorization Failure
• Blocked: Static DNS Address
• Blocked: Static IP Address
• Client Disconnected From Call
• DHCP Denied
• DHCP Terminated
• DHCP Timed Out
• DHCPv6 Denied
• DHCPv6 Terminated
• DHCPv6 Timed Out
• DNS Failure
• Excessive ARPing
 28

Table 1: Client Event Types (Continued)

Positive Client Events Neutral Client Events Negative Client Events

• NAC Server Certificate • Gateway ARP Timeout

Validation Success
• Gateway Spoofing
• OKC Association
• MAC Auth Failure
• OKC Reassociation
• NAC Client Access Denied
• OKC Roam
• NAC Client Certificate Expired
• PMKC Association
• NAC Client Certificate
• PMKC Reassociation Validation Failure

• Portal Auth Success • NAC IDP Admin Config Failure

• Portal Redirection In Progress • NAC IDP Authentication Failure

• Reassociation • NAC IDP Group Lookup Failure

• NAC IDP Lookup Failure

• NAC IDP Unknown

• NAC IDP Unreachable

• NAC IDP User Lookup Failure

• NAC MDM Lookup Failure

• NAC Server Certificate

Validation Failure

• OKC Auth Failure

• Portal Auth Failure

• Radius DAS Notify

• SAE Auth Failure

 29

Viewing Additional Information

The Client Events list provides access to more information. Click an event to see a summary on the right
side of the page, as shown in the following example.

The summary includes these features:

• Client and AP Hyperlinks—Click a hyperlink to view more information. If you click the Client
hyperlink, the Insights page will reload, showing only the events for that client. If you click the AP
link, you'll go to the Access Points page for the selected AP.

• Packet Capture—Juniper APs have a built-in packet buffer. For certain events such as authorization
failures, Juniper Mist keeps the buffer information and makes it available as a dynamic packet
capture. Click Download Packet Capture to save the file. You can then open the file and analyze the
details.

Insights: Applications

SUMMARY

Investigate issues affecting applications.

You can use the Insights dashboard to view information about issues affecting applications.
 30

NOTE: To find the Insights dashboard, select Monitor > Service Levels from the left menu of the
Juniper Mist portal, and then click the Insights button.

The Applications block appears on the Insights dashboard when a site, access point, client, or WAN Edge
is selected from the context menu at the top of the Monitor page.

As shown in this example, you'll see the name of each application along with details about the bytes
sent and received, and the number of clients for each application.

To view more information, click the number of clients. In the pop-up window, you'lll see the name, MAC
address, and other details for each client.
 31

Meeting Insights and Meeting Details

IN THIS SECTION

Context | 31

Meeting Insights | 32

Meeting Details | 33

Shapley Feature Ranking Example | 34

You can use the Insights dashboard to view information about Zoom and Microsoft Teams meetings.

NOTE:

• This feature is in Beta release.

• To find the Insights dashboard, select Monitor > Service Levels from the left menu of the
Juniper Mist portal, and then click the Insights button. To get started with the Insights
dashboard, see "Insights Overview" on page 18.

Context

Meeting Insights and Meeting Details appear on the Insights dashboard when a client is selected from
the context menu at the top of the Monitor page.
 32

NOTE: You also can view Meeting Insights (but not Meeting Details) when a site is selected as
the context.

Meeting Insights

This section shows graphs for latency, packet loss, jitter, call metrics, CPU usage, and feedback.

If you hover your mouse over a point on a graph, details appear in a pop-up message or in a line of text
below the graph (depending on the type of graph).

The graphs are synchronized so that all graphs show the details for the selected point. In the example
below, the mouse pointer is hovering over a point on the Packet Loss graph. All graphs show details for
that same point.
 33

Meeting Details

Meeting Details appears only when a client is selected as the context.

NOTE: If you're viewing Meeting Insights with a site as the context, you can go to the Client
Insights page by clicking the View Clients link.

After you select a client, the Insights page reloads with that client as the context. You can then
scroll down to see the Meeting Insights and Meeting Details for the selected client.

Details include the meeting ID, join and leave time, and quality ratings for audio, video, and screenshare.
 34

In the Actions column, you can:

• Troubleshoot—If you have a Marvis subscription, you can click the ellipsis button to get
troubleshooting help from the Marvis Conversational Assistant.

• View the Shapley Feature Ranking—A carat ^ icon appears if a user reports a bad experience. Click
the ^ icon to view the Shapley Feature Ranking.

Shapley Feature Ranking Example

This example shows how you can use Shapley feature ranking to discover the root causes of poor user
experiences. In this example, WAN has the largest latency as compared to Client or Wireless.
 35

You can click the down-arrow to expand the WAN section, as shown below. Now you can see which
factors contributed to the high latency for WAN. The Site WAN Download Capacity was the major
issue.

Insights: Network Servers

SUMMARY

Investigate issues affecting network servers.

You can use the Insights dashboard to view information about issues affecting network servers,
including RADIUS, DHCP, and DNS servers.

NOTE: To find the Insights dashboard, select Monitor > Service Levels from the left menu of the
Juniper Mist portal, and then click the Insights button.

Site Events appears on the Insights dashboard when a site is selected from the context menu at the top
of the Monitor page.
 36

Use the tabs at the top of the Network Servers section to select the type of server: RADIUS, DHCP, or
DNS.

As shown in this example, you'll see a list of servers and the number of successful and failed attempts.
Use this information to identify overused servers and servers with a high number of failures. You can
then adjust server allocation to improve user experiences.

Insights: Pre-Connection and Post-Connection

SUMMARY

See pre- and post-connection data to gain insight into network issues.

You can use the Insights dashboard to view pre-connection and post-connection data.
 37

NOTE: To find the Insights dashboard, select Monitor > Service Levels from the left menu of the
Juniper Mist portal, and then click the Insights button.

The Pre- and Post-connection blocks both appear on the Insights dashboard when a site or client is
selected from the context menu at the top of the Monitor page. The Post-connection block also appears
when an access point is selected.

As shown in this example, this section of the Insights dashboard presents several graphs.
 38

These blocks include:

• Pre-Connection—This block includes graphs for DNS latency and DHCP latency. These latency
numbers reflect how quickly a wireless client connects to the wireless network.

• Post-Connection—The first graph shows the associated clients. The other graph shows the number of
bytes transmitted and received. Together these two graphs give you a picture of network attachment
and performance.

To see more detail, click the pop-out button

(

) in the graph title.

Insights: Current Values

SUMMARY

Get a snapshot of the various elements affecting current user experiences on your network.

You can use the Insights dashboard to view current data for the selected site, client, or device.

NOTE: To find the Insights dashboard, select Monitor > Service Levels from the left menu of the
Juniper Mist portal, and then click the Insights button.

Current Properties always appear on the Insights dashboard. The context determines which properties
you see. For example, when you select a site from the context menu, you'll see Current Site Properties,
Current WLANs, and more. When you select a switch, you'll see Current Switch Properties.
39
3 CHAPTER

Service Level Expectations

Service Level Expectations (SLE) | 41

Wireless SLEs Overview | 50

Wired SLEs | 65

WAN SLEs | 73
 41

Service Level Expectations (SLE)

SUMMARY IN THIS SECTION

Get familiar with the Service Level Expectations What Are Service Level Expectations
(SLEs) and the SLE dashboard. (SLEs)? | 41

Finding the SLE Dashboard | 42

Selecting the Context and Time Period | 42

Using the System Changes Timeline | 44

Setting the SLE Thresholds | 45

Adjusting the SLE Display Options | 46

Understanding the SLE Blocks | 46

Sample SLE Block | 48

Viewing the Root Cause Analysis Page | 48

What Are Service Level Expectations (SLEs)?

The following video gives you a quick, high-level introduction to SLEs.

Video:

Juniper Mist™ captures, analyzes, correlates, and classifies event and performance data from your
network and devices. It then provides you with an assessment of the quality of users' experiences on
your network.

Many factors contribute to positive or negative user experiences. Juniper Mist organizes these factors
into Service Level Expectations (SLEs). You can set the SLE thresholds to define exactly what "success"
means for SLEs such as throughput, capacity, AP health, switch health, and more (as relevant to your
network).

When user experiences fail to meet your SLE success thresholds, Juniper Mist identifies the root cause
of each poor experience and provides complete details so that you can address the issues.

By skimming the SLE dashboard, you can see at a glance which service levels are low and what types of
issues need to be addressed.
 42

Finding the SLE Dashboard

To access an SLE dashboard, select Monitor > Service Levels from the left menu of the Juniper Mist
portal. Then use the buttons at the top of the page to select the dashboard that you want to view (such
as Wireless, Wired, WAN, Location, and Insights).

NOTE: Your subscriptions determine which buttons appear (for example, you need a Juniper Mist
Wi-Fi Assurance subscription for Wireless SLEs).

Selecting the Context and Time Period

At the top of the Monitor page, select the context, which can be an entire organization, an access point,
or a client. In addition, select a time period, such the last 60 minutes, the last 7 days, or a date range.

NOTE: The Monitor page displays data as recent as the past 60 minutes or as far back as the last
7 days. If you purchase a Premium Analytics subscription, you can access up to 3 years' worth of
wireless network insights and other data. To access the information available through your
Premium Analytics subscription, select Analytics > Premium Analytics from the left menu of the
portal.

Context Example: Organization

To compare the performance of all sites in your organization, select Entire Org as the context.
 43

Use the filter buttons above the table to change the view:

• Overall Service—This is the default view when you select Entire Org as the context. You can compare
the overall user experience at each site.

• SLE filter buttons—Zoom in on a single SLE by using the SLE buttons above the table. The button
options vary, depending on which page you're on (Wireless, WAN, and so on).

You also have the option to view All Sites or the Worst 100 Sites. For the Worst 100 option, also use the
drop-down list to select the SLE that you're concerned about. For example, if you're troubleshooting an
issue with capacity, you'd select that option from the drop-down list to see which sites are having the
most issues with this SLE.

NOTE: The available SLEs for the filter buttons and the Worst 100 drop-down list vary,
depending on whether you're looking at Wireless, Wired, or WAN SLEs.

Context Example: Site

To compare all SLEs for one site, select the site as the context.

NOTE: This image shows a Wireless example, but the SLE blocks are set up the same way for
Wired, WAN, and so on.
 44

Using the System Changes Timeline

When investigating issues, your first question might be, "Did anything change on the network?" With
this timeline, you can see at a glance if any system changes occurred and how many users or clients
were active at the time.

The triangles below the timeline represent various types of system changes:

• Yellow triangle—AP Health

• Green triangle—Radio Management (RRM)

• Blue triangle—Admin Actions

You can adjust the timeline settings to specify the types of changes to include. To get started, click the
timeline settings button:

In the System Changes window, select or deselect check boxes for each event that you want to include
or exclude.
 45

Setting the SLE Thresholds

Each SLE has a success threshold. For the Time to Connect SLE, for example, you might set a threshold
of 2 seconds. This means that you consider your network successful when users can send and receive
data over the Internet within 2 seconds of attempting to associate with an access point.

To view or modify the SLE thresholds, you can click the Settings button on the right side of the SLE
dashboard.

In the Customize Service Levels window, you can modify the thresholds as needed to ensure that the
SLE settings meet your goals for your network.
 46

NOTE: This example shows the wireless SLEs. Depending on the dashboard that you're viewing,
you'll see different SLEs in this window.

Adjusting the SLE Display Options

You can adjust the SLE dashboard display as follows:

• Show success rates or values.

• Include all WLANs or hide excluded WLANs.

Understanding the SLE Blocks

Each SLE is represented by a separate block (sub-section) on the dashboard.

 47

In each block, you'll see:

• Overall Service Level. On the left side of each SLE block, you'll see the overall service level for the
selected site and time period.

• Click Success Rate to see the percentage of user experiences that met the SLE success threshold.

• Click Values to see the number of user experiences that met the SLE success threshold.

• Timeline. In the middle of each SLE block, you can explore the timeline. As your mouse moves across
the timeline, information appears under it.

• Click Success Rate to see the percentage of successful user experiences at the selected point in
time.

• Click Values to see the number of successful user experiences at the selected point in time.

• Classifiers. On the right side of each SLE block, you see the classifiers for the user experiences that
didn't meet the SLE success threshold. Juniper Mist attributes each unsuccessful user experience to
one classifier. Together, the classifiers give you a high-level root cause analysis of the unsuccessful
user experiences.

• Click Success Rate to see the percentage of unsuccessful user experiences that were caused by
each classifier.

NOTE: Together, these individual percentages total 100 percent of the unsuccessful user
experiences.

• Click Values to see the number of unsuccessful user experiences that were caused by each
classifier.

NOTE: Together, these individual values represent the total number of unsuccessful user
experiences.
 48

Sample SLE Block

In this example, the Success Rate button is selected, so you see percentages instead of values.

• On the left, you see that the overall success rate for the selected site and time period was 88
percent.

• In the middle, the timeline caption shows that the mouse is hovering over 24-Jun 5:30 am - 5:40 am.
At that point, the success rate was 88 percent.

On the right, you see that 75 percent of the SLE-lowering issues occurred in the Association process
and 25 percent occurred in the DHCP process. Together, these classifiers account for 100 percent of
the user experiences that failed to meet the threshold. The other classifiers show 0 percent, meaning
that they did not have any impact on this SLE.

Viewing the Root Cause Analysis Page

From the dashboard, you can click any SLE or classifier to go to the Root Cause Analysis page.

This example shows the Root Cause Analysis page for the wireless Time to Connect SLE.
 49

Tips:

• At the top of the page, you see the data for all classifiers and their sub-classifiers (if applicable).

• In the lower part of the page, you see additional details about the selected item. Depending on the
classifier, you might see signal strength information, a list of affect devices and clients, or other
information. These details help you to understand the scope of the issues.

• On the Affected Items page, you can use the Filter box to search for an item. As shown in the
animation below, simply start typing in the box, and matching items will appear in a drop-down list.
Then click the item that you want to view.
 50

Wireless SLEs Overview

SUMMARY IN THIS SECTION

Get started using the wireless service-level Time to Connect SLE | 52

experience (SLE) dashboard to assess the service Wireless Successful Connects SLE | 54
levels for user-impacting factors such as throughput,
signal strength, roaming, and more. Coverage SLE | 56

Roaming SLE | 58

Wireless Throughput SLE | 59

Capacity SLE | 61

AP Health SLE | 63
 51

Finding the Wireless SLEs Dashboard

Select Monitor > Service Levels from the left menu of the Juniper Mist™ portal, and then select the
Wireless button.

NOTE: Your subscriptions determine which buttons appear (for example, you need a Juniper Mist
Wi-Fi Assurance subscription for Wireless SLEs).

Wireless SLEs Video Deep Dive

Watch this 37-minute video to explore Wireless SLEs in depth.

Video:

Using the Wireless SLEs Dashboard

For help interpreting the wireless SLEs and classifiers, explore the other Wireless SLE topics in this
chapter.
 52

Time to Connect SLE

SUMMARY IN THIS SECTION

Use the Time to Connect SLE to assess your users' What Does the Time to Connect SLE
experience connecting to the Internet through your Measure? | 52
wireless network. Classifiers | 53

Time to Connect is one of the wireless Service-Level Expectations (SLEs) that you can track on the
Wireless SLEs dashboard.

NOTE: To find the Wireless SLEs dashboard, select Monitor > Service Levels from the left menu
of the Juniper Mist™ portal, and then select the Wireless button.

What Does the Time to Connect SLE Measure?

Time to Connect is the number of seconds that elapse between the point when a client sends an
association packet and the moment when the client can successfully move data.

You can click the Settings button (above the SLE blocks) to set the number of seconds to use as the
success threshold for this SLE.
 53

Classifiers

When the Time to Connect threshold is not met, Juniper Mist sorts the issues into classifiers. The
classifiers appear on the right side of the SLE block. In this example, 86 percent of the issues were
attributed to Association and 14 percent to DHCP. (See the classifier descriptions below the example.)

• Authorization—The time to go past the authentication state was more than 2 sigma from the average
authentication latency for this site.

• Association—The time to go past the association state was more than 2 sigma from the average
association latency for this site.

• Internet Services —The time to access external networks was more than 2 sigma from the moving
average for this site.

• DHCP—(DCHP timeouts) The time to connect to Dynamic Host Configuration Protocol (DHCP) was
more than 2 sigma from the average time for fully completed successful connections for this site.

Sub-Classifiers for DHCP:

 54

• Stuck

• Nack

• Unresponsive

Wireless Successful Connects SLE

SUMMARY IN THIS SECTION

Use the Wireless Successful Connects SLE to assess What Does the Wireless Successful
your users' experiences connecting to your wireless Connects SLE Measure? | 54
network. Classifiers | 55

Successful Connects is one of the wireless Service-Level Expectations (SLEs) that you can track on the
Wireless SLEs dashboard.

NOTE: To find the Wireless SLEs dashboard, select Monitor > Service Levels from the left menu
of the Juniper Mist™ portal, and then select the Wireless button.

What Does the Wireless Successful Connects SLE Measure?

Juniper Mist tracks the success or failure of authorization, association, DHCP, ARP, and DNS attempts.
These connection attempts include initially connecting to the network, roaming from one AP to another,
and ongoing connectivity.

You don't need to set up a threshold for this SLE. It's assumed that you want 100 percent successful
connects.
 55

Classifiers

When connection attempts fail, Juniper Mist sorts the issues into classifiers. The classifiers appear on
the right side of the SLE block. In this example, 92 percent of issues happened during the DHCP
process. Another 7 percent failed during authorization, and 1 percent failed during association. No
issues (0 percent) were attributed to the other classifiers. (See the classifier descriptions below the
example.)

• Association—The connection failed during the association process.

• Authorization—The connection failed during the authorization process.

• DHCP—The connection failed during the DHCP process (DCHP timeouts).

The DHCP classifier has four sub-classifiers:

• Renew Unresponsive

• Nack

• Incomplete

• Discover Unresponsive

• ARP—The client experienced one of these problems:

• ARP failure for the default gateway during the initial connection

• ARP gateway failures after the initial connection or roam

• DNS—The client experienced DNS failures during or after the connection process.
 56

Coverage SLE

SUMMARY IN THIS SECTION

Use the Coverage SLE to assess your users' What Does the Coverage SLE
experiences with signal strength. Measure? | 56

Classifiers | 57

Coverage is one of the wireless Service-Level Expectations (SLEs) that you can track on the Wireless
SLEs dashboard.

NOTE: To find the Wireless SLEs dashboard, select Monitor > Service Levels from the left menu
of the Juniper Mist™ portal, and then select the Wireless button.

What Does the Coverage SLE Measure?

Juniper Mist tracks active clients' Received Signal Strength Indicator (RSSI), as measured by the access
point. Use this SLE to determine if you have enough access points.

You can click the Settings button to set the RSSI level that you want to use as the success threshold for
this SLE.
 57

Classifiers

When the RSSI threshold is not met, Juniper Mist sorts the issues into classifiers. The classifiers appear
on the right side of the SLE block. In this example, 36 percent of issues were attributed to Weak Signal,
1 percent to Asymmetry Downlink, and 63 percent to Asymmetry Uplink. (See the classifier descriptions
below the example.)

• Weak Signal—Clients received a weak signal due to other factors.

• Asymmetry Downlink—Clients received a weak signal due to asymmetric downlink transmission

strength between the AP and a client device. (The traffic going from the AP to the client is called
downlink traffic.)

• Asymmetry Uplink—Clients received a weak signal due to asymmetric uplink strength between the
AP and the client device. (Uplink traffic is the traffic going from the client to the AP, and then to the
Internet.) Asymmetry can occur for various reasons, such as clients being too far from the AP.
 58

Roaming SLE

SUMMARY IN THIS SECTION

Use the Roaming SLE to track successful and What Does the Roaming SLE
unsuccessful roams between access points. Measure? | 58

Classifiers | 58

Roaming is one of the wireless Service-Level Expectations (SLEs) that you can track on the Monitor page
of the Juniper Mist™ portal.

NOTE: To find the Wireless SLEs dashboard, select Monitor > Service Levels from the left menu
of the Juniper Mist™ portal, and then select the Wireless button.

What Does the Roaming SLE Measure?

Juniper Mist tracks the percentage of successful roams between access points and assigns a quality
score from 1 to 5. A score of 1 indicates excellent roaming, and a score of 5 indicates poor roaming.

You don't need to set this threshold. It's assumed that you want very good to excellent roaming, so this
threshold is automatically set to 2.

Classifiers

When the roaming threshold is not met, Juniper Mist sorts the issues into classifiers. The classifiers
appear on the right side of the SLE block. In this example, 8 percent of the issues were attributed to
Stability and 92 percent to Signal Quality. (See the classifier descriptions below the example.)

• Latency—Roaming time was excessive.

Latency has different sub-classifiers for different roaming options:

 59

• Slow 11r Roams—This classifier applies to fast roaming as defined by 802.11r. The roaming time
exceeded 400 ms.

• Slow Standard Roams—This classifier applies to standard roaming. The roaming time exceeded 2
seconds.

• Slow OKC Roams—This classifier applies to clients using RADIUS-based authentication with
Opportunistic Key Caching (OKC). The roaming time exceeded 2 seconds.

• Stability—This classifier tracks the consistency of AP choice and 11r usage during client roams.
Juniper Mist assigns this classifier if a user capable of fast roaming on a fast- roaming enabled SSID
experiences slow roaming for more than 2 seconds. This classifier contains one sub-classifier: Failed
to fast Roam.

• Signal Quality—This classifier tracks the RSSI of clients during a roaming event.

• • Interband Roam—This sub-classifier tracks when clients roam between bands.

• Suboptimal Roam—This sub-classifier tracks when clients roam to an AP:

• With more than 6 dBm decrease in RSSI compared to the client's RSSI in the previous AP

• If the RSSI in the new connection is worse than the configured coverage SLE threshold. Note
that the default coverage SLE threshold is 72 dBm.

• Sticky Client—This sub-classifier tracks the events when a client remains connected to an AP even
when more roaming options are available to improve the RSSI by more than 6 dBm.

Wireless Throughput SLE

SUMMARY IN THIS SECTION

Use the Throughput SLE to assess users' What Does the Wireless Throughput SLE
experiences with throughput on your wireless Measure? | 60
network. Classifiers | 60

Throughput is one of the wireless Service-Level Expectations (SLEs) that you can track on the Wireless
SLEs dashboard.
 60

NOTE: To find the Wireless SLEs dashboard, select Monitor > Service Levels from the left menu
of the Juniper Mist™ portal, and then select the Wireless button.

What Does the Wireless Throughput SLE Measure?

Juniper Mist calculates the estimated throughput on a per-client basis for the entire site. This calculation
is done for every client every minute. The estimator considers effects such as AP bandwidth, load,
interference events, the type of wireless device, signal strength, and wired bandwidth, to arrive at the
probabilistic throughput.

You can click the Settings button to set the success threshold for this SLE.

Classifiers

When the throughput threshold is not met, Juniper Mist sorts the issues into classifiers. The classifiers
appear on the right side of the SLE block. In this example, less than 1 percent of the issues were
attributed to Coverage, and more than 99 percent were due to Capacity. (See the classifier descriptions
below the example.)
 61

• Network Issues—Low throughput is primarily due to the capacity of the wired network.

• Coverage—Low throughput is primarily due to the client’s weak signal strength.

• Device Capability—Low throughput is primarily due to issues with the device capability. For example,
throughput issues can occur if a device only supports 20 MHz wide channels, one spatial stream, or a
lower version of Wi-Fi (802.11 g/802.11 n).

• Capacity—Low throughput is due either to the load on the AP or interference on the channel.

The capacity classifier has four sub-classifiers:

• High Bandwidth Utilization

• Non Wi-Fi Interference

• Excessive Client Load

• Wi-Fi Interference

You can use these sub-classifiers to analyze users and APs below the SLE goal, the timeline of failures
and system changes, and the distribution of failures. You can also analyze related network processes
that these sub-classifiers can influence.

Capacity SLE

SUMMARY IN THIS SECTION

Use the Capacity SLE to track user experiences What Does the Capacity SLE
with RF channel capacity (bandwidth) on your Measure? | 62
wireless network. Classifiers | 62

Capacity is one of the wireless Service-Level Expectations (SLEs) that you can track on the Wireless SLEs
dashboard. Understand what's measured by this SLE and what issues can contribute to a low SLE.
 62

NOTE: To find the Wireless SLEs dashboard, select Monitor > Service Levels from the left menu
of the Juniper Mist™ portal, and then select the Wireless button.

What Does the Capacity SLE Measure?

Juniper Mist monitors the percentage of the total RF channel capacity that is available to clients.

You can click the Settings button to set the success threshold for this SLE. For example, you might want
20 percent of the RF channel capacity (bandwidth) to be available to clients at any time.

Classifiers

When the capacity threshold is not met, Juniper Mist sorts the issues into classifiers. The classifiers
appear on the right side of the SLE block. In this example, 99 percent of issues were attributed to Wi-Fi
interference. The remaining issues were due to Non WiFi Interference and Client Usage. (See the
classifier descriptions below the example.)
 63

• Non-Wi-Fi interference—Low capacity is due to non-wireless interference.

• Client Usage—Low capacity is due to a high client load.

• Wi-Fi interference—Low capacity is due to wireless interference.

• Client Count—Low capacity is due to a high number of attached clients.

AP Health SLE

SUMMARY IN THIS SECTION

Use the AP Health SLE to assess your users' What Does the AP Health SLE
experience with AP availability. Measure? | 63

Classifiers | 64

AP Health is one of the wireless Service-Level Expectations (SLEs) that you can track on the Wireless
SLEs dashboard.

NOTE: To find the Wireless SLEs dashboard, select Monitor > Service Levels from the left menu
of the Juniper Mist™ portal, and then select the Wireless button.

What Does the AP Health SLE Measure?

Juniper Mist tracks the percentage of time the APs are operational without rebooting or losing
connectivity to the cloud.
 64

Classifiers

When AP Health is poor, Juniper Mist sorts the issues into classifiers. The classifiers appear on the right
side of the SLE block. In this example, 66 percent of issues were attributed to Low Power, less than 1
percent to AP Disconnected, and 34 percent to Ethernet. (See the classifier descriptions below the
example.)

• Low Power—An AP received insufficient power from its Power over Ethernet (PoE) connection.

• AP Disconnected—One of these conditions occurred:

• Switch Down—Multiple APs that were connected to the same switch lost cloud connectivity.

• Site Down—All the APs on the site were unreachable.

• AP Unreachable—An AP lost cloud connectivity.

• AP Reboot—An AP rebooted.

• Ethernet—One of these conditions occurred:

• Speed Mismatch—Juniper Mist detected a speed or duplex mismatch between an upstream

device and an AP.

• Ethernet Errors—Juniper Mist detected cyclic redundancy check (CRC) errors on the Ethernet
interface of the AP.

• Network Issues—AP health is degraded by network-related issues due to round-trip time, packet loss,
and Mist Edge tunnel unreachability.

• Latency

• Jitter

• Tunnel Down
 65

Wired SLEs

SUMMARY IN THIS SECTION

Get started using the wired service-level experience Wired Throughput SLE | 66
(SLE) dashboard to assess the service levels for user- Wired Successful Connect SLE | 68
impacting factors such as throughput, connectivity,
and switch health. Switch Health SLE | 70

Switch Bandwidth SLE | 71

Juniper Mist™ cloud continuously collects network telemetry data and uses machine learning to analyze
the end-user experience. You can access this information through the Juniper Mist wired service-level
expectation (SLE) dashboards, which help you assess the network's user experience and resolve any
issues proactively. The wired SLE dashboards show the user experience of the wired clients on your
network at any given point in time. You can use these interactive dashboards to measure and manage
your network proactively by identifying any user pain points before they become too big of an issue.

Finding the Wired SLEs Dashboard

To find the Wired SLEs dashboard, select Monitor > Service Levels from the left menu of the Juniper
Mist™ portal, and then select the Wired button.

NOTE: The buttons appear only if you have the required subscriptions. For information about
these requirements, see the Juniper Mist AI-Native Operations Guide.
 66

Wired Assurance: Day 2 - Wired Service Level Expectations (SLEs) Video

Overview

Video: Wired SLE Overview

Using the Wired SLE Dashboard

For a general introduction to SLEs, see "Service Level Expectations (SLE)" on page 41.

For help interpreting the wired SLEs and classifiers, explore the other Wired SLE topics in this chapter.

Wired Throughput SLE

SUMMARY IN THIS SECTION

Use the Wired Throughput SLE to assess users' What Does the Wired Throughput SLE
experiences with throughput on your wired Measure? | 66
network. Classifiers | 67

Throughput is one of the Service-Level Expectations (SLEs) that you can track on the wired SLEs
dashboard.

NOTE: To find the Wired SLEs dashboard, select Monitor > Service Levels from the left menu of
the Juniper Mist™ portal, and then select the Wired button.

What Does the Wired Throughput SLE Measure?

This SLE represents the ability of wired users to pass traffic without impedance.
 67

Classifiers

When the throughput threshold is not met, Juniper Mist sorts the issues into classifiers. The classifiers
appear on the right side of the SLE block. In this example, less than 1 percent of the issue were
attributed to Congestion Uplink, 19 percent to Interface Anomalies, 1 percent to Storm Control, and 80
percent to Congestion. (See the classifier descriptions below the example.)

• Congestion Uplink—The SLE dashboard shows high congestion uplink when:

• One of the neighbors is a switch or a router (known through LLDP).

• The port is a Spanning Tree Protocol (STP) root port.

• The uplink port has a higher number of transmitted and received packets compared to the other
ports.

• Aggregated Links. Congestion can also be caused by aggregated Ethernet links and module ports.

• Interface Anomalies—The details for interface anomalies are all obtained from the switch. The
Interface Anomalies classifier contains three sub-classifiers: MTU Mismatch, Cable Issues,
and Negotiation Failed.

• MTU Mismatch—As an administrator, you can set an MTU value for each interface. The default
value for Gigabit Ethernet interfaces is 1514 . To support jumbo frames, you must configure an
MTU value of 9216, which is the upper limit for jumbo frames on a routed virtual LAN (VLAN)
interface. It's important to ensure that the MTU value is consistent along the packet's path, as any
MTU mismatch will result in discarded or fragmented packets. In Juniper Networks switches, you
can check for MTU mismatches in the MTU Errors and Input Errors sections of the show interface
extensive command output. Each input error or MTU error contributes to a "bad user minute"
under MTU mismatch.

• Cable Issues—This sub-classifier shows the user minutes affected by faulty cables in the network.

• Negotiation Failed—Latency on ports can happen due to autonegotiation failure, duplex conflicts,
or user misconfiguration of device settings. Moreover, older devices may fail to achieve maximum
speed and could operate at a slower link speed of 100 Mbps. This sub-classifier identifies and
helps mitigate instances of bad user time caused by these issues.

• Storm Control—Storm control allows the device to monitor traffic levels and drop broadcast,
unknown unicast, and multicast packets when they exceed a set threshold or traffic level. This
threshold is known as a storm control level or storm control bandwidth. The default storm control
level is 80 percent of the combined broadcast, multicast, and unknown unicast traffic on all Layer 2
interfaces of Juniper switches. Storm control helps prevent traffic storms, but it can also potentially
 68

throttle applications or client devices. This classifier identifies these conditions and helps users
proactively mitigate throughput issues.

• Congestion—This classifier measures the number of output drops. When packets come into a switch
interface, they are placed in an input queue (buffer). When the buffer becomes full, it will start to
drop packets (TxDrops). We use a formula that takes into account the following ratios to determine if
there is a 'bad user minute' due to congestion:

• TxDrops to TxPackets—Total transmitted bytes dropped to total packets transmitted.

• Txbps to Link speed—Total bytes transmitted per second to link speed.

• RxSpeed to Link speed—Total bytes received per second to link speed.

• Network—You can use this classifier to monitor user minutes when the throughput is lower than
expected due to uplink capacity limitations. It identifies issues based on the round-trip time (RTT)
value of packets sent from the switch to the Mist cloud. The Network classifier has two sub-
classifiers that help you identify these issues:

• Latency—Displays user minutes affected by latency. The latency value is calculated based on the
average value of RTT over a period of time.

• Jitter—Displays user minutes affected by jitter. The jitter value is calculated by comparing the
standard deviation of RTT within a small period (last 5 or 10 minutes) with the overall deviation of
RTT over a longer period (day or week). You can view this information for a particular switch or
site.

Wired Successful Connect SLE

SUMMARY IN THIS SECTION

Use the Wired Successful Connect SLE to assess What Does the Wired Successful Connect
clients' experiences connecting to your wired SLE Measure? | 69
network. Classifiers | 69

Successful Connect is one of the Service-Level Expectations (SLEs) that you can track on the Wired SLEs
dashboard.
 69

NOTE: To find the Wired SLEs dashboard, select Monitor > Service Levels from the left menu of
the Juniper Mist™ portal, and then select the Wired button.

What Does the Wired Successful Connect SLE Measure?

Juniper Mist monitors client connection attempts and identifies failures. This SLE helps you to assess the
impact of these failures and to identify the issues to address.

NOTE: This SLE will show data only if you use 802.1X on the wired network to authenticate
clients or if you have DHCP snooping configured.

Classifiers

When connection attempts are unsuccessful, Juniper Mist sorts the issues into classifiers. The classifiers
appear on the right side of the SLE block. In this example, 100 percent of the issues are attributed to
Authentication. (See the classifier descriptions below the example.)

• DHCP—Dynamic Host Configuration Protocol (DHCP) snooping enables the switch to examine the
DHCP packets and keep track of the IP-MAC address binding in the snooping table. This classifier
adds a failure event every time a client connects to a network and fails to reach the ‘bound’ state
within a minute (DCHP timeouts).

NOTE: The SLE dashboard shows DHCP failures only for those switches that have DHCP
snooping configured.

• Authentication—Each time a client authenticates , a client event is generated. These could either be
successful or failed events. This classifier helps you identify issues that caused authentication
failures. Here's a list of possible reasons for an 802.1X authentication failure:

• If a single switch port fails to authenticate, it could be due to a user error or misconfigured port.
 70

• If all switch ports fail to authenticate, it could be because:

• The switch is not added as a NAS client in the RADIUS server.

• A routing issue exists between the switch and the RADIUS server.

• The RADIUS server is down.

• If all switch ports on all the switches fail to authenticate, it could indicate a temporary failure with
the RADIUS server at that specific moment.

• If a specific type of device, such as a Windows device, fails to authenticate, it may suggest an
issue related to certifications.

Switch Health SLE

SUMMARY IN THIS SECTION

Use the Switch Health SLE to assess switch What Does the Switch Health SLE
performance and to identify user-impacting issues Measure? | 70
with switch reachability, memory, CPU, and more. Classifiers | 71

Switch Health is one of the Service-Level Expectations (SLEs) that you can track on the Wired SLEs
dashboard.

NOTE: To find the Wired SLEs dashboard, select Monitor > Service Levels from the left menu of
the Juniper Mist™ portal, and then select the Wired button.

What Does the Switch Health SLE Measure?

Juniper Mist™ monitors your switches' operating temperatures, power consumption, CPU, and memory
usage. Monitoring switch health is crucial because issues such as high CPU usage can directly impact
 71

connected clients. For instance, if CPU utilization spikes to 100 percent, the connected APs may lose
connectivity, affecting the clients' experience.

Classifiers

When the Switch Health threshold is not met, Juniper Mist sorts the issues into classifiers. The
classifiers appear on the right side of the SLE block. In this example, 100 percent of the issues are
attributed to CPU. (See the classifier descriptions below the example.)

• CPU—The CPU usage of the switch is above 90 percent.

• Temp—The operating temperature of the switch is outside the prescribed threshold range, going
either above the maximum limit or below the minimum requirement.

• Memory—The memory utilization is above 80 percent.

• Switch Unreachable—The switch can't be accessed.

• Power—The switch is consuming over 90 percent of the available power.

Switch Bandwidth SLE

IN THIS SECTION

What Does the Switch Bandwidth SLE Measure? | 72

Classifiers | 72

Switch Bandwidth is one of the Service-Level Expectations (SLEs) that you can track on the Wired SLEs
dashboard.
 72

NOTE: To find the Wired SLEs dashboard, select Monitor > Service Levels from the left menu of
the Juniper Mist™ portal, and then select the Wired button.

What Does the Switch Bandwidth SLE Measure?

Juniper Mist™ measures the available bandwidth on your network based on the queued packets and
dropped packets for each configured queue. The ratio between total_DropppedPackets and
total_QueuedPackets is used to determine congestion at the interface level. Thee most dropped queue
is also noted in the details for distribution/affected items . This SLE can help you to determine if you
need more wired bandwidth on your site.

You can click the Settings button (above the SLE blocks) to set the percentage to use as the success
threshold for this SLE. The percentage represents the total_DropppedPackets as a portion of
total_QueuedPackets.

Classifiers

When the Switch Bandwidth threshold is not met, Juniper Mist sorts the issues into classifiers. The
classifiers appear on the right side of the SLE block. In this example, 33 percent of the issues are
attributed to Congestion and 67% to Bandwidth Headroom. (See the classifier descriptions below the
example.)
 73

• Congestion—This classifier measures the number of output drops. When packets come into a switch
interface, they are placed in an input queue (buffer). When the buffer becomes full, it will start to
drop packets (TxDrops). We use a formula that takes into account the following ratios to determine if
there are bad user minutes due to congestion:

• TxDrops to TxPackets—Total transmitted bytes dropped to total packets transmitted.

• Txbps to Link speed—Total bytes transmitted per second to link speed.

• RxSpeed to Link speed—Total bytes received per second to link speed.

• Bandwidth Headroom—This classifier is triggered if the bandwidth usage exceeds the threshold for
this SLE.

• Congestion Uplink—The SLE dashboard shows high congestion uplink when:

• One of the neighbors is a switch or a router (known through LLDP).

• The port is a Spanning Tree Protocol (STP) root port.

• The uplink port has a higher number of transmitted and received packets compared to the other
ports.

• There is congestion due to aggregated Ethernet links and module ports.

WAN SLEs

SUMMARY IN THIS SECTION

Get started using the WAN Service-Level WAN Edge Health SLE | 74
Experiences (SLEs) dashboard to assess the service WAN Link Health SLE | 76
levels for user-impacting factors such as WAN Edge
health, WAN link health, and application health. WAN Application Health SLE | 78

Finding the WAN SLEs Dashboard

To find the WAN SLEs dashboard, select Monitor > Service Levels from the left menu of the Juniper
Mist™ portal, and then select the WAN button.
 74

NOTE: The buttons appear only if you have the required subscriptions. See "Requirements" on
page 6.

WAN Assurance Video Overview

Video:

Using the WAN SLE Dashboard

For a general introduction to SLEs, see "Service Level Expectations (SLE)" on page 41.

For help interpreting the WAN SLEs and classifiers, explore the other WAN SLE topics in this chapter.

WAN Edge Health SLE

SUMMARY IN THIS SECTION

Use the WAN Edge Health SLE to assess service What Does the WAN Edge Health SLE
levels for your WAN edge devices. Measure? | 75

Classifiers | 75

WAN Edge Health is one of the Service-Level Expectations (SLEs) that you can track on the WAN SLEs
dashboard.
 75

NOTE: To find the WAN SLEs dashboard, select Monitor > Service Levels from the left menu of
the Juniper Mist™ portal, and then select the WAN button.

What Does the WAN Edge Health SLE Measure?

Juniper Mist monitors the user minutes when the health or performance of the WAN edge device is not
optimal. Suboptimal health lowers the device's ability to pass traffic, thus directly affecting any clients
connected to the device.

Juniper Mist analyzes various factors that affect WAN edge health and assigns a score. You can click the
Settings button to set the success threshold.

Classifiers

When the WAN Edge Health threshold is not met, Juniper Mist sorts the issues into classifiers. The
classifiers appear on the right side of the SLE block. In this example, 100 percent of the issues are
attributed to CPU. (See the classifier descriptions below the example.)

• • Memory—Juniper Mist triggers this classifier when the WAN edge memory utilization is above 80
percent.

• Power—Juniper Mist triggers this classifier when power consumption is above 90 percent of the
available power.

• WAN Edge Disconnected—Juniper Mist triggers this classifier when the WAN edge device
disconnects from the Juniper Mist cloud.

• Temp—Juniper Mist triggers this classifier when the operating temperature of the WAN edge
device exceeds the prescribed threshold range, either going above the maximum limit or below
the minimum requirement.
 76

• CPU—Juniper Mist triggers this sub-classifier when the CPU temperature exceeds the
prescribed threshold range.

• Chassis—Juniper Mist triggers this sub-classifier when the chassis temperature exceeds the
prescribed threshold range.

• CPU—Juniper Mist triggers this classifier when the CPU utilization is above 90 percent. When the
CPU utilization spikes on a Juniper WAN edge device, downstream devices can lose their
connectivity. Therefore, clients fail to pass traffic.

• Data Plane—Juniper Mist triggers this sub-classifier when the Data Plane CPU utilization is
above 90 percent.

• Control Plane—Juniper Mist triggers this sub-classifier when control plane CPU utilization is
above 90 percent.

WAN Link Health SLE

SUMMARY IN THIS SECTION

Use the WAN Link Health SLE to assess service What Does the WAN Link Health SLE
levels for your WAN links. Measure? | 77

Classifiers | 77

WAN Link Health is one of the Service-Level Expectations (SLEs) that you can track on the WAN SLEs
dashboard in the Juniper Mist™ portal.

NOTE: To find the WAN SLEs dashboard, select Monitor > Service Levels from the left menu of
the Juniper Mist™ portal, and then select the WAN button.
 77

What Does the WAN Link Health SLE Measure?

Juniper Mist monitors the user minutes when the WAN link health meets or fails to meet the SLE
threshold. Poor WAN link health lowers the device's ability to pass traffic, thus directly affecting any
clients using that link.

You can click the Settings button to set the success threshold.

Classifiers

When the WAN Link threshold is not met, Juniper Mist sorts the issues into classifiers. The classifiers
appear on the right side of the SLE block. In this example, 100 percent of the issues are attributed to
Network. (See the classifier descriptions below the example.)

• Network—Network issues affected the WAN link.

The Network classifier has three sub-classifiers:

• Latency—WAN link traffic showed latency. Juniper Mist calculates latency by using the average
value of round-trip time (RTT) for traffic over a period of time.

• IPSec Tunnel Down—One of the Overlay IPsec tunnels was down.

• Jitter—The WAN link experienced jitter. Juniper Mist calculates jitter by using the variation
(standard deviation) of RTT within a period of 5 to 10 minutes for a particular WAN link. We
compare the calculated value with the average deviation of RTT over a day or a week.

• Interface—Interface issues affected the WAN link. The Interface classifier has three sub-classifiers:

• Congestion—Congestion affected the WAN link. The Congestion sub-classifier measures the
number of output packet drops. When packets enter an interface, they go in a queue for
buffering. When the buffer becomes full it starts to drop packets (TxDrops).

• Cable Issues—Faulty cables affected the WAN link.

• VPN—VPN performance issue occurred.

 78

WAN Application Health SLE

SUMMARY IN THIS SECTION

Use the WAN Application Health SLE to assess What Does the WAN Application Health
service levels for your applications. SLE Measure? | 78

Classifiers | 79

WAN Application Health is one of the Service-Level Expectations (SLEs) that you can track on the WAN
SLEs dashboard in the Juniper Mist™ portal.

NOTE: To find the WAN SLEs dashboard, select Monitor > Service Levels from the left menu of
the Juniper Mist™ portal, and then select the WAN button.

What Does the WAN Application Health SLE Measure?

Juniper Mist monitors the latency of WAN applications to identify applications that are performing sub-
optimally. This SLE can help you to understand the end users’ experiences when accessing applications.
For example, a weak network connection might give good user experiences for FTP or SMTP-based
applications, but bad user experiences for VoIP applications. The Application Health SLE will help you
identify which applications are giving you trouble.

You can click the Settings button to select the applications to include.
 79

• To remove applications from this SLE—Select the check box for each application, and then click
Remove.

• To add applications to this SLE—Click Add Application, then select the check box for the application,
and then click Add. Or click Create Custom to add another application.

Classifiers

When the Application threshold is not met, Juniper Mist sorts the issues into classifiers. The classifiers
appear on the right side of the SLE block. In this example, 100 percent of the issues are attributed to
Jitter. (See the classifier descriptions below the example.)

• Jitter—Inconsistent packet transmit times can impact users' experiences with applications, especially
real-time applications such as VoIP and video.

• Latency—Slow response time (lag) can impact users' experiences by, for example, causing web pages
to load slowly or interrupting video and audio streams.
4 CHAPTER

Alerts

Alerts Overview | 81

Juniper Mist Alert Types | 85

Configure Alerts and Email Notifications | 93

 81

Alerts Overview

SUMMARY IN THIS SECTION

Get familiar with Juniper Mist™ alerts and the Alerts What Are Alerts? | 81
dashboard in the Juniper Mist portal. Finding the Alerts Dashboard | 82

Selecting the Context and Time Period | 83

Filtering the Display | 83

What Are Alerts?

Alerts represent network and device issues that are ongoing. Juniper Mist™ categorizes them as follows:

• Infrastructure Alerts—This category includes issues that can potentially affect a large number of
clients. For example, an event during which a Domain Name System (DNS), Dynamic Host
Configuration Protocol (DHCP), or RADIUS server is unreachable can affect many clients. Similarly, if
a power supply on a switch is in alarm state, a large number of clients and a large amount of traffic
could be affected.

• Marvis Alerts—The Predictive Analytics and Correlation Engine (PACE) raises Marvis alerts for the
events that Marvis tracks. For example, if an access point (AP) regularly fails health checks, Marvis
notices and tracks this event.

• Security Alerts—Security alerts are raised by repeated events that could dramatically affect network
security. For example, if a rogue AP is detected, that represents a potential security problem and if a
client connects to a rogue AP, that could be even worse.

NOTE:

• For information about alerts, see "Juniper Mist Alert Types" on page 85.

• To enable the alerts that you want to include on the Alerts dashboard, see "Juniper Mist Alert
Types" on page 85.
 82

Finding the Alerts Dashboard

The Alerts dashboard is your alerts log. This dashboard provides information about all alerts that are
enabled on the Alerts Configuration page.

NOTE: For help configuring alerts, see "Configure Alerts and Email Notifications" on page 93.

To view the Alerts dashboard, select Monitor > Alerts from the left menu of the Juniper Mist portal.

In the following example, you can see the major elements of the Alerts dashboard.

This table includes:

• Alert—The name of the alert, along with an icon representing the severity level. For more information
about the color codes and severity levels, see the "Severity Filters" on page 84 table later in this
topic.

• Site—The name of the site where this issue occurred.

• Recurrence—The number of times that this issue occurred.

• First Seen and Last Seen—The time period when this issue occurred.

• Details—The affected component (as listed below), with a link that you can click for more details.
 83

These links include:

• Device Insights—Click the link to view the Insights page for the selected site. This page shows a
timeline of events and full details for client events, AP events, and site events. You'll also see
details for all applications.

• Marvis—Click the link to view the Marvis Actions page.

• Network Security—Click the link to view the Wireless Security page. This page shows all security
issues for each SSID. You'll see information such as the type of issue, number of affected clients,
band, channel, RSSI, and floorplan location.

• WAN Edge Details—Click the link to view the Insights page for WAN Edges at the selected site.
This page shows details for WAN Edge events, applications, application policies, WAN Edge
devices, ports, peer path stats, and more.

Selecting the Context and Time Period

At the top of the Alerts page, select the context, which can be an entire organization or a single site.
Also select a time period, such the last 60 minutes, the last 7 days, or a date range.

NOTE: The Alerts page displays data as recent as the past 60 minutes or as far back as the last 7
days. If you purchase a Premium Analytics subscription, you can access up to 3 years' worth of
wireless network insights and other data. To access the information available through your
Premium Analytics subscription, select Analytics > Premium Analytics from the left menu of the
portal.

Filtering the Display

You can apply filters to show only the alerts that you want to see.
 84

Severity Filters

Juniper Mist ranks alerts by severity. The severity buttons at the top of the Alerts page show the
number of issues for each severity level. Click a button to show only the alerts for that severity level.

Table 2: Severity Levels

Severity Color Code Recommended Action

Critical Red Take immediate action.

Warning Orange Continue monitoring if the event continues.

Informational Blue No action is required.

Filter Box

Above the list of alerts, you can use the Filter box to enter text to filter by. As you start typing, matching
alerts appear in the drop-down list. Click one of them to apply the filter.
 85

Juniper Mist Alert Types

SUMMARY IN THIS SECTION

Juniper Mist™ provides various alerts that you can Infrastructure Alerts | 85
enable to track ongoing issues. Marvis Alerts | 90

Security Alerts | 91

Infrastructure Alerts

In Juniper Mist, we present those events that don't fit neatly into the service-level experience (SLE)
model as alerts. Whereas SLEs represent events that have already happened, alerts represent network
and device issues that are ongoing. On the Monitor > Alerts dashboard, you can see three types of
alerts: Infrastructure on page 85, Marvis on page 90, and Security on page 92.

Juniper Mist categorizes alerts that potentially affect a large number of clients as infrastructure alerts.
For example, an event during which a Domain Name System (DNS), Dynamic Host Configuration
Protocol (DHCP), or RADIUS server is unreachable can affect many clients. Similarly, if a power supply
on a switch is in alarm state, a large number of clients and a large amount of traffic could be affected.

Table 3: Infrastructure Alerts by Severity

Severity Alert Name API

Only

Critical ARP Failure

NOTE: Click the pencil icon to set the threshold for this alert.

Critical DHCP Failure

NOTE: Click the pencil icon to set the threshold for this alert.

Critical DNS Failure

NOTE: Click the pencil icon to set the threshold for this alert.

Critical Mist Edge cpu usage high

 86

Table 3: Infrastructure Alerts by Severity (Continued)

Severity Alert Name API

Only

Critical Mist Edge disconnected from cloud

Critical Mist Edge disk usage high

Critical Mist Edge memory usage high

Critical Mist Edge power input disconnected

Critical Mist Edge service failed to start

Critical Mist Edge unplugged from power

Critical Virtual Chassis - Backup Member Elected

Critical Virtual Chassis - New device elected for Active Role

Critical Virtual Chassis Member Deleted

Critical Virtual Chassis Port Down

Informational ARP Recovered X

Informational BGP Neighbor State Changed

Informational BGP Neighbor Up

 87

Table 3: Infrastructure Alerts by Severity (Continued)

Severity Alert Name API

Only

Informational Critical Switch Port Up

NOTE: If you enable this alert, you also need to update the switch configuration to
identify the critical ports. To do this:

1. In your switch template, under Select Switches Configuration, select the rule for
the ports that you want to configure. (Or add a new rule.)

2. On the Port Config tab, select the port or port range that you want to configure.

3. In the settings window, select the Enable critical alerts check box.

4. Repeat these steps for all critical ports.

For more information about port configuration, see the Juniper Mist Wired Assurance
Configuration Guide.

Informational Critical WAN Edge Port Up

NOTE: If you enable this alert, you also need to update the WAN or LAN
configuration to identify the critical ports. To do this:

1. In your WAN Edge template, select the WAN or LAN configuration that you want
to update. (Or add a new configuration.)

2. Under Interface, enter the port or ports, and then select the Enable critical alerts
check box.

3. Repeat these steps for all critical ports.

For more information about WAN Edges configuration, see the Juniper Mist WAN
Assurance Configuration Guide.

Informational Device reconnected X

Informational Device restarted

Informational DHCP Recovered X

Informational DNS Recovered X

Informational HA Control Link Up X

Informational Mist Edge connected to cloud

 88

Table 3: Infrastructure Alerts by Severity (Continued)

Severity Alert Name API

Only

Informational Mist Edge cpu usage normal

Informational Mist Edge disk usage normal

Informational Mist Edge memory usage normal

Informational Mist Edge plugged to power

Informational Mist Edge power input connected

Informational Switch reconnected X

Informational Switch restarted

Informational Virtual Chassis Member Added

Informational VPN Peer Up

Informational WAN Edge BGP Neighbor Up

Informational WAN Edge reconnected x

Warning BGP Neighbor Down

Warning Critical Switch Port Down

NOTE: If you enable this alert, you also need to update the switch configuration to
identify the critical ports. To do this:

1. In your switch template, under Select Switches Configuration, select the rule for
the ports that you want to configure. (Or add a new rule.)

2. On the Port Config tab, select the port or port range that you want to configure.

3. In the settings window, select the Enable critical alerts check box.

4. Repeat these steps for all critical ports.

For more information about switch configuration, see the Juniper Mist Wired
Assurance Configuration Guide.
 89

Table 3: Infrastructure Alerts by Severity (Continued)

Severity Alert Name API

Only

Warning Critical WAN Edge Port Down

NOTE: If you enable this alert, you also need to update the WAN or LAN
configuration to identify the critical ports. To do this:

1. In your WAN Edge template, select the WAN or LAN configuration that you want
to update. (Or add a new configuration.)

2. Under Interface, enter the port or ports, and then select the Enable critical alerts
check box.

3. Repeat these steps for all critical ports.

For more information about WAN Edges configuration, see the Juniper Mist WAN
Assurance Configuration Guide.

Warning Device offline

NOTE: Click the pencil icon to set the threshold (in minutes) for this alert.

Warning HA Control Link Down

Warning Loop detected (by AP)

Warning Mist Edge service crashed

Warning Switch Bad Optics

Warning Switch BPDU Error

Warning Switch DHCP Pool Exhausted

Warning Switch offline

Warning Switch PEM Alarm

Warning Switch PoE Alarm

Warning Switch Power Supply Alarm

Warning Switch Storage Partition Alarm

 90

Table 3: Infrastructure Alerts by Severity (Continued)

Severity Alert Name API

Only

Warning Tunnel down

Warning VPN Peer Down

Warning WAN Edge BGP Neighbor Down

Warning WAN Edge DHCP Pool Exhausted

Warning WAN Edge offline x

Warning WAN Edge Source NAT Pool Threshold Exceeded

Marvis Alerts

Marvis alerts are tied into the Marvis Action Dashboard. These alerts are triggered whenever the
corresponding Marvis Action is detected in your organization. For example, if an access point (AP)
regularly fails health checks, Marvis notices and tracks this event.

The table below provides a listing of Marvis alerts, sorted by severity.

Table 4: Marvis Alerts by Severity

Severity Applies To Alert Name

Critical AP AP health check failed

Critical AP AP insufficient capacity

Critical AP AP insufficient coverage

Critical AP Bad cable

Critical AP Non-compliant

Critical AP Offline (Marvis)

 91

Critical connectivity ARP failure (Marvis)

Critical connectivity Authentication failure (Marvis)

Critical connectivity DHCP failure (Marvis)

Critical connectivity DNS failure (Marvis)

Critical WAN edge Bad cable

Critical WAN edge Bad WAN Uplink

Critical WAN edge Negotiation mismatch

Critical WAN edge VPN Path Down

Critical switch Bad cable

Critical switch Missing VLAN

Critical switch Negotiation mismatch

Critical switch Port Stuck

Critical switch Switch STP Loop

Warning switch Port flap

Security Alerts

Security alerts warn you of activities or events on the network that can cost you in terms of lost data,
unauthorized access to the network, or traffic that matches known security threats. Security alerts are
raised by repeated events that could dramatically affect network security. For example, if a rogue AP is
detected, that represents a potential security problem. If a client connects to a rogue AP, that could be
even worse.

Juniper Mist lists all security alerts except those that relate to intrusion detection and prevention (IDP)
or URL filtering on the Monitor > Alerts page. You can find IDP and URL filtering events and their
severity on the Site > WAN Edge > Secure WAN Edge IDP/URL Events page.
 92

Table 5: Security Alerts by Severity

Severity Alert Name

Critical Client Connection to rogue AP detected

Critical Rogue AP detected

Informational Air Magnet Scan detected

Informational EAP Handshake Flood detected

Warning Active Watched Station detected

Warning Adhoc Network detected

Warning BSSID Spoofing detected

Warning Disassociation Attack detected

Warning EAP Dictionary Attack detected

Warning EAP Failure Injection detected

Warning EAP Spoofed Success detected

Warning EAPOL-Logoff Attack detected

Warning ESSID Jack detected

Warning Excessive Clients detected

Warning Excessive EAPOL-Start detected

Warning Fake AP Flooding detected

Warning Honeypot SSID detected

Warning IDP attack detected

Warning Monkey Jack detected

 93

Warning Out of Sequence detected

Warning Repeated Client Authentication Failures

Warning Replay Injection detected - KRACK Attack

Warning Security Policy Violation

Warning SSID Injection detected

Warning TKIP ICV Attack

Warning URL blocked

Warning Vendor IE Missing

Warning Zero SSID Association Request detected

Configure Alerts and Email Notifications

SUMMARY

Enable the alerts that you want to see on the Alerts dashboard. Optionally, enable email notifications
for issues that you want to monitor closely.

Video Overview

This video provides an overview of the procedure for configuring alerts.

Video: Alert Configuration Overview

Procedure

To configure alerts:
 94

1. From the left menu of the Juniper Mist portal, select Monitor > Alerts.

2. Click the Alerts Configuration button near the top-right corner of the page.

3. At the top of the page, select the context and time period.
The context can be your entire organization or a single site. There are various options for the time
period, such the last 60 minutes, the last 7 days, or a date range.

4. Select the scope, email notification settings (optional) and the alerts to show on the Alerts page.

a. Select the scope.

• Entire Org—Click this button to configure the alerts for the entire organization.
 95

• Sites—Click this button to configure the alerts for one or more sites that you want to monitor
differently than the org. To identify the site(s), click the Sites button, then click the plus sign,
and then click a site. Repeat as needed to add more sites to the list.

b. (Optional) Enable email notifications for alerts that you want to monitor closely.

• In the Email Recipients Settings section, identify the people to receive the email notifications:

• To organization admins—Notifications will be sent to all admins whose permissions allow

access to the entire organization.

• To site admins—Notifications will be sent to all admins whose permissions allow access to
the sites that you identified in the scope section.

• To additional email recipients—Notifications will be sent to all email addresses that you
enter in this box. This option is useful if you want to send notifications to personnel who do
not have admin accounts for your Juniper Mist organization. To enter multiple email
addresses, separate them with commas.

• In the Alert Types section, select the Send Email Notification check boxes for the alerts that
you want to send emails for. For information about the various alerts, see "Juniper Mist Alert
Types" on page 85.

c. In the Alert Types section, select the Enable Alert check boxes for the alerts that you want to see
on the Alerts page. For information about the various alerts, see "Juniper Mist Alert Types" on
page 85.

d. If the alert has a pencil icon, click it to configure the settings.

For example, when you click the pencil icon for DNS Failure, you can set the alert threshold by
entering the number of failures and the number of clients that are impacted within the specified
period of time. In this example, the alert occurs if a server has 30 failures or 20 impacted clients
within a 10 minute period.
 96

5. After enabling all desired alerts and notifications, click Save at the top-left corner of the Alerts
Configuration page.
5 CHAPTER

Get Started with Marvis

Marvis Virtual Network Assistant Overview | 98

Subscriptions for Marvis | 99

 98

Marvis Virtual Network Assistant Overview

SUMMARY

Get familiar with the many features that are available with Marvis Virtual Network Assistant.

Marvis® Virtual Network Assistant is a virtual network assistant that streamlines network operations,
simplifies troubleshooting, and provides an enhanced user experience. With real-time network visibility,
Marvis provides a comprehensive view of your network from an organizational level to a client level with
detailed insights.

Watch this video to learn how Marvis came to be, and what Marvis offers to you.

Video:

As Mist AI monitors your network, it constantly learns from the telemetry data it collects. Marvis uses
this data to deliver better insights and automation that are customized for your network.

Mist AI collects data from wireless LAN (WLAN), LAN, and WAN domains in your network. In addition
to Juniper devices, Marvis also provides visibility into third-party switches connected to Juniper access
points (APs) through Link Layer Discovery Protocol (LLDP). Marvis can provide health statistics for third-
party switches. Examples include Power over Ethernet (PoE) compliance status, misconfigured VLANs,
and switch uptime.

Marvis proactively identifies issues, interprets the scope and magnitude of the impact, identifies the root
causes, and recommends fixes.

Here are the main components of Marvis:

• Marvis Actions—Marvis Actions is a one-stop information center that provides visibility into ongoing
site-wide network issues that affect user experience in an organization. Marvis recommends fixes
and provides insight into root causes. By default, the landing page of Marvis shows the Actions
dashboard for an organization. All super users can view the Marvis Actions dashboard. Other admin
roles can view the dashboard if they have organization-level access.

• Marvis Minis—Marvis Minis is a network digital twin that validates the network and application
services for your network. By simulating user connections, Marvis Minis quickly detects and resolves
issues before they impact users. Marvis Minis is always on and can detect issues even when clients
are not connected to the network. In addition to detecting issues, it also ascertains the overall impact
 99

of the issue—that is, whether the issue impacts an entire site, a specific switch, WLAN, VLAN, server,
or AP.

• Conversational Assistant—Marvis’s AI-based conversation interface enables you to ask questions and
get actionable insights into your network in no time. Marvis uses Natural Language Processing (NLP)
with Natural Language Understanding (NLU) to contextualize requests, which accelerates the
troubleshooting workflow. The conversational assistant provides real-time answers for your queries
related to troubleshooting and documentation.

• Marvis Client—A software agent installed on client devices such as a mobile phone or laptop to
collect the client’s parameters that help represent its network view. The Marvis Android client, along
with the Zebra wireless insights, provides enhanced telemetry and visibility into the Zebra client
experience.

• Marvis Query Language—A structured format for asking Marvis a question to get data to monitor or
troubleshoot your users’ experiences and evaluate the overall health of your network.

With additional updates in 2023, Marvis provides even more functionality, including integrations with
ChatGPT, Microsoft Teams, and Zoom. Watch this video to learn more.

Video:

Subscriptions for Marvis

To use Marvis, you must have the following active subscriptions in association with the Wireless
Assurance, WAN Assurance, or Wired Assurance base license:

• Marvis for Wired

• Marvis for WAN

• Marvis for Wireless

You’ll need an Assurance subscription and a Marvis subscription per device.

You can use Marvis Actions and the Marvis conversational assistant only if the number of Marvis
subscriptions for each type (Wired, Wireless, or WAN) is greater than 50 percent of the number of
devices of that type. The following table shows the mapping between the number of Marvis
subscriptions and the number of devices.
 100

Table 7: Sample Device/Subscriptions Mappings

Number of Devices Number of Marvis Subscriptions Subscription Type

Required

10 switches 6 or more Marvis for Wired

20 APs 11 or more Marvis for Wireless

8 WAN Edges 5 or more Marvis for WAN

NOTE: If you do not have a Marvis subscription, you can continue to use Marvis Actions and the
Marvis conversational assistant only if the total number of devices (switches, APs, and WAN
Edges) in your organization is less than or equal to 10.

For more information about subscription options, activating subscriptions, and related topics, see the
Juniper Mist Management Guide.

RELATED DOCUMENTATION

https://www.juniper.net/us/en/products/cloud-services.html
6 CHAPTER

Marvis Actions

Marvis Actions Overview | 102

Subscription Requirements for Marvis Actions | 106

Layer 1 Actions | 109

Connectivity Actions | 111

AP Actions | 118

Switch Actions | 125

WAN Edge Actions | 133

Data Center/Application Actions | 136

Persistent Failures | 138

Anomaly Detection Event Card | 139

 102

Marvis Actions Overview

SUMMARY IN THIS SECTION

Get started with Marvis Actions and get familiar with What Are Marvis Actions? | 102
the major features of the Marvis Actions dashboard. Marvis Actions Dashboard | 102

What Are Marvis Actions?

Marvis® leverages the Mist AI to identify the root cause of issues. Marvis can automatically fix issues
(self-driving mode) or recommend actions that require user intervention (driver-assist mode). The Marvis
Actions page lists the high-impact network issues that Marvis detects. Marvis Actions also displays the
recommended actions for your organization's network. Marvis Actions provides insight into issues
across the wired, WAN, and wireless networks, at the managed service provider (MSP) level,
organization level, and site level. With Marvis Actions, you can track firmware compliance on APs,
identify bad cables, locate L2 loops, detect WAN link outages, and more—all from a single page.

With real-time AI-native insight into your network, Marvis Actions enables proactive issue detection and
resolution, resulting in a significant reduction in troubleshooting effort and time.

This video provides an introduction to Marvis Actions.

Video:

Marvis Actions Dashboard

The Marvis Actions dashboard is a one-stop information center that provides visibility into ongoing site-
wide network issues that affect user experience in an organization. Super users can view Marvis
Actions. Users with other roles can view Marvis Actions if they are not assigned to any site. You can
review the information to prioritize the issues that need immediate attention.

To view the Marvis Actions dashboard, select Marvis > Marvis Actions from the left menu of the Juniper
Mist™ portal.
 103

Here’s what the Marvis Actions page looks like. You'll notice that the page displays the information
under different categories. Marvis indicates the number of issues detected for a category. For example,
in the following screenshot, you'll notice that Marvis lists 15 issues for the Connectivity category.

You can also view the issues for a site by selecting the Sites tab. The Sites tab displays a Google Maps
view of all sites and issues detected.

Detailed View of Issues and Marvis Recommended Actions

Each category has a group of actions under it. Each action can have one or multiple issues associated
with it. If Marvis does not detect any anomalies associated with an action, the action appears dimmed.

You can click a category to view the actions under that category. If you click an action, you'll see a
detailed view, which includes the issue and recommended action. Marvis provides a recommended
action for all issues.

Here’s the Marvis Actions view after drilling down into the Missing VLAN action under the Switch
category. Notice that Marvis provides the details of the site, switch, and the issue (two APs with missing
VLANs). You’ll also see that the recommended solution from Marvis is to add the VLAN configuration to
the switch configuration.
 104

You can use the View More link in the Details column to view specific details about the ports on which
the VLANs are missing. Here's an example of the page showing the port details.

Downloadable List of Issues

You can download the list of issues to a .CSV file format. The CSV file contains all the details visible on
the Actions page, including the reason for failure and the device details. You can find the download
(down arrow) icon on the upper-right corner of the Details section.

Issue Resolution
 105

After you resolve an issue, you can change the status of an issue or multiple issues. Use the STATUS
button at the bottom of the page if you want to change the status of a group of issues.

Marvis prompts you for feedback, which Mist uses internally to determine the efficacy of the action.

Latest Updates About Issues

The LATEST UPDATES section on the right of the Marvis Actions page provides a list of issues that
were resolved over the past seven days. Marvis classifies the issues under one of the following states:

• AI Validated—Lists issues (such as an AP missing a VLAN) that are no longer active. If you update the
status of an issue to Resolve, Marvis verifies that the issue is resolved and classifies the issue as AI
Validated. If you fix an issue but don’t update the status, Marvis detects that the issue is resolved and
moves it to the Latest Updates section.
 106

• Resolved—Lists automated actions (such as auto upgrade, auto RMA) or manual actions (such as
manual AP upgrade or manual RMA request) that completed successfully. Marvis classifies an issue
as Resolved only if you trigger the action from the Actions page.

• Reoccurring Issue—Lists resolved issues that are either still not resolved or have reoccurred. At times,
Marvis might find that an issue you marked as resolved is still not resolved completely. Marvis then
classifies the issue as a reoccurring issue.

You can click the download (down arrow) icon next to the Latest Updates text to download the list of
actions for your organization in CSV format. You can download either the complete list or the list for a
specific type of failure.

Subscription Requirements for Marvis Actions

SUMMARY IN THIS SECTION

Understand how your subscriptions determine the Subscription Types and Numbers | 106
actions that you'll see on the Actions dashboard. Available Actions for Your
Also get familiar with the different actions that are Subscriptions | 107
available for different subscription types (Marvis for
Wired, Marvis for Wireless, and Marvis for WAN).

Subscription Types and Numbers

Your Marvis subscriptions determine the actions that you'll see on the Actions dashboard. Be aware of
the requirements for the types of subscription and the number of subscriptions, and purchase the
subscriptions that you need for your network.
 107

• Subscription Types—Different Marvis subscriptions enable different Marvis actions. For example, you
need a Marvis for Wired subscription to see Wired actions. The actions for each type of subscription
are shown in the tables in the section of this topic.

• Subscription Numbers—You must have an adequate ratio of subscriptions to devices: The number of
subscriptions for each type (Wired, Wireless, or WAN) must be greater than 50 percent of the
number of devices of that type. For example, if you have six APs in the inventory, you must have four
or more active Marvis for Wireless subscriptions to view all the Wireless actions.

NOTE: If you are using a trial subscription type, you can view all Marvis Actions until the trial
subscription ends.

Available Actions for Your Subscriptions

Available actions vary for different subscriptions, as appropriate for the types of devices that are
associated with these subscriptions. The following tables show the available actions for each
subscription type.

Table 8: Marvis for Wired Actions

Category Marvis for Wired Actions

Connectivity Authentication Failure

DHCP Failure

Switch Negotiation Mismatch

Loop Detected

Port Flap

High CPU

Port Stuck

Traffic Anomaly
 108

Table 8: Marvis for Wired Actions (Continued)

Category Marvis for Wired Actions

Other Actions Persistently Failing Clients

Table 9: Marvis for WAN Actions

Category Marvis for WAN Actions

WAN Edge MTU Mismatch

Bad WAN Uplink

VPN Path Down

Table 10: Marvis for Wireless Actions

Category Marvis for Wireless Actions

Layer 1 Bad Cable

Connectivity Authentication Failure

DHCP Failure

ARP Failure

DNS Failure

AP Offline

Health Check Failed

Non-compliant

Coverage Hole

Insufficient Capacity

Switch Missing VLAN

 109

Table 10: Marvis for Wireless Actions (Continued)

Category Marvis for Wireless Actions

Other Actions Persistently Failing Clients

Layer 1 Actions

SUMMARY IN THIS SECTION

Use the Actions dashboard to resolve Layer 1 issues. Bad Cable | 110

When you click the Layer 1 button on the Action dashboard, all available Layer 1 actions appear.
Currently there is only one type of action for this category: bad cable.

NOTE: Your subscriptions determine the actions that you can see on the Actions dashboard. For
more information, see "Subscription Requirements for Marvis Actions " on page 106.
 110

Bad Cable

Marvis can detect a faulty cable that is connected to an access point (AP), a switch, or a WAN Edge
device.

A faulty cable is one of the root causes of network issues, which manifest as user experience issues. It is
a difficult and time-consuming task to manually identify a faulty cable. Marvis can detect bad cables
easily by using cable data such as frame errors, link statistics, link errors, and traffic patterns.

A bad cable action indicates cable issues that APs, Switches, and WAN edge devices detect at a site. The
details section indicates if a switch, an AP, or a WAN edge device detected the issue.

For a WAN Edge detected issue, you'll need to perform the following steps:

• Ensure that the duplex setting is full duplex on both sides of the link.

• Change the cable to rule out issues due to a defective cable.

• Change the SFP and check the status.

• Change the port to rule out any NIC card issues.

• Change the Layer2 device (modem or router).

The following sample illustrates the issue:

 111

After you fix the issue, Mist AI monitors the AP, switch, or WAN edge for a certain period and ensures
that the cable issue is indeed resolved. Hence, it might take up to 24 hours for the Bad Cable action to
automatically resolve and appear in the Latest Updates section.

Video:

Connectivity Actions

SUMMARY IN THIS SECTION

Use the Actions dashboard to resolve client How Are Connectivity Failures
connectivity failures. Detected? | 112

Authentication Failure | 113

DHCP Failure | 115

 112

ARP Failure | 116

DNS Failure | 117

When you click the Connectivity button on the Actions dashboard, you'll see a list of all available
actions. You can then click an action to investigate further. Available actions are described later in this
topic.

NOTE: Your subscriptions determine the actions that you can see on the Actions dashboard. For
more information, see "Subscription Requirements for Marvis Actions " on page 106.

How Are Connectivity Failures Detected?

Marvis uses anomaly detection or scope analysis to detect connectivity failures, as follows:

• Anomaly Detection—Marvis detects issues when they start to occur at your site, such as multiple
clients failing for the same reason. Anomalies are failures that occur across most, but not all, devices
on your site. The Details page (Anomaly Detection Event Card), which you can open with the View
More link, lists the component that probably caused the failure. For more information about anomaly
detection, see "Anomaly Detection Event Card" on page 139.

After you fix the issue, the action automatically resolves and appears in the Latest Updates section
within 24 hours.

• Scope Analysis—When the failure rate across all clients at your site is 100 percent, Marvis performs a
scope analysis on the issue to determine the root cause of such a failure. Marvis provides the details
 113

of the affected clients—MAC address, VLAN, and WLAN for which Marvis triggers the scope
anomaly. Marvis indicates the issue that needs to be fixed, whether it is a RADIUS, Domain Name
System (DNS), or Dynamic Host Configuration Protocol (DHCP) server; a WLAN; or an access point
(AP). Here is an example that shows how Marvis reports an issue based on scope analysis:

After you fix the issue, the action automatically resolves and appears in the Latest Updates section
within an hour.

Authentication Failure

The Authentication Failure action shows both 802.1x and preshared key (PSK) failures. Click the
Authentication Failures button to see the impacted devices and the recommended actions in the lower
part of the page.

NOTE: If you see a View More link in the Authentication Failure table, click the link to open the
Event Card. For more information, see "Anomaly Detection Event Card" on page 139.
 114

802.1x Failures

The 802.1x failures include the following:

• RADIUS Server Missing Events: These events are triggered when a RADIUS server at a site does not
respond to Extensible Authentication Protocol (EAP) requests. This failure to respond results in a high
number of clients failing 802.1X authentication on the wireless LAN (WLAN). Marvis might detect
failures across multiple APs broadcasting to the same 802.1x WLAN. These failures indicate that a
RADIUS server is either configured wrong or is missing from the network. In this case, you'll need to
check if the RADIUS server is online and reachable.

• RADIUS Missing AP Events: These events are triggered when clients connecting to a few APs fail to
authenticate to a WLAN that has a RADIUS server configured for EAP authentication. This RADIUS
event indicates that you have not configured these APs as network access service (NAS) clients on
the RADIUS server. You must add the missing APs to the RADIUS configuration to resolve the issue.

Here's an example that shows how Marvis Actions reports an 802.1x authentication failure. Note the
Authentication Failure Details page showing the information:

NOTE: Marvis detects authentication failures even in wired-only deployments.

 115

PSK Failures

Marvis detects PSK failures when an unusually high number of clients fail to authenticate to a PSK
WLAN due to a PSK mismatch. To resolve PSK failure errors, you'll need to verify the PSK for your
WLAN and clients. A possible cause could be a recent PSK change that was not communicated to users.

DHCP Failure

The DHCP Failure action appears when Marvis detects DHCP failures due to offline or unresponsive
DHCP servers (DCHP timeouts).

Marvis provides details about these DHCP servers, enabling you to troubleshoot and resolve the
problem quickly. When you see a DHCP Failure action, ensure that the DHCP servers are online and can
lease IP addresses.

NOTE: For wired-only deployments, you must enable DHCP snooping for Marvis to detect
DHCP failures.

If you see a View More link in the DHCP Failure table, click the link to open the Event Card. For more
information, see "Anomaly Detection Event Card" on page 139.
 116

ARP Failure

An Address Resolution Protocol (ARP) Failure action appears when an unusually large number of clients
experience issues with the ARP gateway. These issues include Gateway ARP timeout and excessive ARP.
When you see an ARP Failure action, you must verify that the gateway is online and reachable. You must
also ensure that the network is free of congestion.
 117

DNS Failure

Marvis Actions detect unresponsive DNS servers for your site if a large number of clients experience
DNS errors when using the network. If you see this action on your dashboard, you need to check that all
your DNS servers are online and reachable.
 118

NOTE: If you see a View More link in the DNS Failure table, click the link to open the Event Card.
For more information, see "Anomaly Detection Event Card" on page 139.

AP Actions

SUMMARY IN THIS SECTION

Use the Actions dashboard to resolve issues Offline | 119

affecting your access points (APs). Health Check Failed | 120

Non-Compliant | 121

Coverage Hole | 121

 119

Insufficient Capacity | 123

When you click the AP button on the Actions dashboard, you'll see a list of all available actions. You can
then click an action to investigate further. Available actions are described later in this topic.

NOTE: Your subscriptions determine the actions that you can see on the Actions dashboard. For
more information, see "Subscription Requirements for Marvis Actions " on page 106.

Offline

Marvis detects APs that are offline due to lack of power, loss of cloud connectivity, or any other issue.
Marvis can determine the scope of Offline AP actions such as these:

• A site is down and all APs at the site have lost cloud connectivity.

• A switch is down and all APs connected to the switch have lost cloud connectivity.

• An AP is locally online (that is, the AP is heard locally but has lost cloud connectivity).

• An AP is locally offline (that is, the AP is not heard locally and has also lost cloud connectivity).

Here's an example of an Offline action where Marvis identifies three APs that are offline:
 120

Health Check Failed

Marvis reports health check failures when it detects potential hardware or software issues.

Marvis shows the Health Check Failed action for these types of issues:

• Issues that cannot be debugged, meaning that the AP needs to be replaced.

• A software issue that a newer firmware resolves. You can use the Upgrade button to upgrade the
firmware directly from this page.

NOTE: After you fix the hardware or software issue, Mist AI monitors the AP for a certain period
and ensures that it is operating normally. Hence, it might take up to 24 hours for the Health
Check Failed action to automatically resolve and appear in the Latest Updates section.

In this example, Marvis identifies an AP that failed the periodic health checks and needs to be replaced.
 121

Non-Compliant

Marvis monitors the firmware version running on all the APs at a site. The Non-Compliant action flags
APs running a firmware version that is older than the version running on the other APs of the same
model at the site. You can upgrade the APs from the Marvis Actions page without having to visit the
site.

After you upgrade the APs to the proper version, the Non-Compliant action automatically resolves and
appears in the Latest Updates section within 30 minutes.

Coverage Hole

The Coverage Hole action detects coverage issues at your site and provides a floor plan visual indicating
the APs experiencing these issues. You can use this visual representation to locate areas with low
coverage and make necessary improvements such as adding APs, upgrading AP models, changing the
placement of existing APs, or increasing the power output of existing APs.
 122

NOTE: You need to have a floor plan already set up in Location Live View to take advantage of
the Coverage Hole visibility.

In the following example, Marvis pinpoints a site that is facing frequent coverage issues:

Here’s the floor plan visual showing the affected AP (highlighted):

 123

After you fix the issue in your network, Mist AI monitors the network for a certain period and ensures
that the coverage is sufficient for the network. Hence, it might take up to 24 hours for the Coverage
Hole action to automatically resolve and appear in the Latest Updates section.

Insufficient Capacity

The Insufficient Capacity action detects capacity issues related to an abnormal increase in an AP’s
utilization. This action usually occurs when client traffic peaks significantly. Marvis provides a floor plan
visual indicating the APs experiencing capacity issues. You can use this visual representation to find the
affected APs and make design improvements.

NOTE: You need to have a floor plan already set up in Location Live View to take advantage of
the Insufficient Capacity visibility.
 124

Here’s the floor plan visual showing the affected AP (highlighted):

 125

Switch Actions

SUMMARY IN THIS SECTION

Use the Actions dashboard to resolve issues Missing VLAN | 126

affecting your switches. Negotiation Mismatch | 127

Loop Detected | 128

Port Flap | 129

High CPU | 131

Port Stuck | 131

Traffic Anomaly | 132

When you click the Switch button on the Actions dashboard, you'll see a list of all available actions. You
can then click an action to investigate further. Available actions are described later in this topic.

NOTE: Your subscriptions determine the actions that you can see on the Actions dashboard. For
more information, see "Subscription Requirements for Marvis Actions " on page 106.
 126

Missing VLAN

The Missing VLAN action indicates that a VLAN is configured on an AP but not on the switch port. As a
result, clients are unable to communicate on a specific VLAN and are also unable to get an IP address
from the DHCP server. Marvis compares the VLAN on the AP traffic with the VLAN on the switch port
traffic and determines which device is missing the VLAN configuration.

In the following example, Marvis identifies two APs that do not see any incoming traffic due to a missing
VLAN configuration. Marvis also identifies the specific switches that are missing the VLAN configuration
and provides the port information, thereby enabling you to mitigate this issue with ease.

NOTE: If you need more information, you also can use the left menu to go to the Switches page.
There, click on the switch to view the information for each port, including VLANs.
 127

After you fix the issue in your network, Mist AI monitors the switch for a certain period and ensures that
the missing VLAN issue is indeed resolved. Hence, it might take up to 30 minutes for the Missing VLAN
action to automatically resolve and appear in the Latest Updates section.

For more information about the Missing VLAN action, watch the following video:

Video:

Negotiation Mismatch

The Negotiation Mismatch action detects instances on switch ports where negotiation is incomplete.
This issue can occur when Marvis detects a duplex mismatch between devices due to the
autonegotiation failing to set the correct duplex mode. Marvis provides details about the affected port.
You can check the configuration on the port and the connected device to resolve the issue.

The following example shows the details for the Negotiation Mismatch action. Notice that Marvis lists
the switch and the port on which the negotiation mismatch occurred.
 128

After you fix the issue in your network, the Negotiation Mismatch action automatically resolves and
appears in the Latest Updates section within an hour.

Loop Detected

The Loop Detected action indicates a loop in your network resulting in the switch receiving the same
packet that it sent out. A loop occurs when multiple links exist between devices. Redundant links are a
common cause for L2 loops. A redundant link serves as a backup link for the primary link. If both links
are active at the same time and protocols such as the Spanning Tree Protocol (STP) are not deployed
properly, a switching loop occurs.

Marvis identifies the exact location at your site where the traffic loop is occurring and shows you the
affected switches. Here's an example:
 129

Port Flap

The Port Flap action identifies ports that bounce persistently over a short time interval, indicating that a
port or client has an issue. Port flapping can occur due to unreliable connections, continuous rebooting
of a device connected to the port, or incorrect duplex configurations. The following example shows the
details that Marvis Actions provides for a Port Flap action:
 130

You can disable a persistently flapping port directly from the Marvis Actions page. In the Port Flap
actions section, select the switch on which you want to disable a port and click the DISABLE PORT
button.

The Disable Port page appears, listing the ports that you can disable. You cannot select a port if it is
already disabled (either previously through the Actions page or manually from the Switch Details page).

When you disable a port, the port configurations on the selected ports change to disabled and the ports
go down. After you fix the issue, you can re-enable these ports by editing the port configuration on the
Switch Details page. After you re-enable the ports, you can reconnect the devices to the ports.

After you fix the issue in your network, the Port Flap action automatically resolves and appears in the
Latest Updates section within an hour.

Video:
 131

High CPU

Marvis detects switches that constantly have high CPU utilization. Various factors can cause high CPU
utilization: multicast traffic, network loops, hardware issues, device temperature, and so on. The High
CPU action lists the switches, the processes running on the switch along with the CPU utilization rate,
and the reason for the high utilization. In the following example, you see that the fxpc process has high
CPU utilization, and the cause for the high utilization is the use of noncertified optics on the switch:

Port Stuck

The Port Stuck action detects a difference in traffic pattern on a switch port, such as no transmitted or
received packets, indicating that the client connected to the port is not operating normally. In the
following example, you'll see that Marvis Actions recommends that you bounce the port and verify if the
client starts operating normally. Notice that in addition to the port number, Marvis also lists the client (in
this case, a camera) that is connected to the port and the associated VLAN.
 132

Traffic Anomaly

Marvis detects an unusual drop or increase in broadcast and multicast traffic on a switch. It also detects
any unusually high transmit or receive errors. Like the Anomaly Detection view for connectivity failures,
the Details view shows a timeline, the description of the anomaly, and details of the affected ports. If
the issue affects an entire site, Marvis displays the details of the affected switches and port details for
each affected switch.
 133

Video:

WAN Edge Actions

SUMMARY IN THIS SECTION

Use the Actions dashboard to resolve issues MTU Mismatch | 134

affecting your WAN Edge devices. Bad WAN Uplink | 134

VPN Path Down | 135

When you click the WAN Edge button on the Actions dashboard, you'll see a list of all available actions.
You can then click an action to investigate further. Available actions are described later in this topic.

NOTE: Your subscriptions determine the actions that you can see on the Actions dashboard. For
more information, see "Subscription Requirements for Marvis Actions " on page 106.
 134

MTU Mismatch

Marvis detects MTU mismatches between a port on the WAN Edge device and a port on the directly
connected device. All devices on the same Layer 2 (L2) network must have the same MTU size. When an
MTU mismatch occurs, devices might either fragment packets resulting in a network overhead or discard
packets. The Details column lists the port on which the mismatch occurs. You'll need to review the port
configuration on the WAN edge device and the connected device to resolve the issue.

Bad WAN Uplink

The Bad WAN Uplink action identifies instances where the uplink interfaces on your Juniper Networks®
SRX Series Firewall or Session Smart™ Router are experiencing issues. Marvis identifies interface-related
issues (such as cable issues, congestion) or it could be network-related (high latency, packet drops, and
jitter). These issues can cause poor user experience and result in an unhealthy WAN link. You might see
errors in the overlay even though there are no issues in the underlay.

When you see a Bad WAN Uplink action, we recommend that you check the uplink connection on your
device to troubleshoot the issue. Marvis highlights the issue indicating the need to check the connection
as shown in the following example:
 135

Poor LTE connectivity can cause uplink issues. For a bad LTE WAN link, Marvis shows a timeline of
affected clients and signal strength. This timeline view is like the Anomaly Detection view for
connectivity failures. Marvis automatically finds and displays the worst signal strength metric during this
time. Marvis displays any one of the following signal strength metrics:

• Received signal strength indicator (RSSI)

• Reference Signal Received Power (RSRP)

• Signal-to-noise ratio (SNR)

After you fix the issue in your network, Mist AI monitors the WAN link for a certain period of time to
see if users are experiencing any issues. Hence, it might take up to 24 hours for the Bad WAN Uplink
action to automatically resolve and appear in the Latest Updates section.

VPN Path Down

Marvis monitors the VPN paths that are associated with WAN edge nodes (Juniper Networks® SRX
Series Firewall or Session Smart™ Router) in the overlay network. If a VPN tunnel goes down, Marvis
displays the VPN Path Down action so that you can take immediate action. In the following example,
 136

Marvis reports that a hub gateway is down. Notice that Marvis provides detailed information such as the
impacted sites, applications, and clients.

After you fix the issue in your network, Mist AI monitors the VPN path for a certain period of time to
see if users are experiencing any issues. Hence, it might take up to 24 hours for the VPN Path Down
action to automatically resolve and appear in the Latest Updates section.

Data Center/Application Actions

If you manage your enterprise network with Juniper Mist and your data centers with Juniper Apstra, you
can click the Data Center/Applications Action button in Marvis to quickly view what the Marvis Virtual
Network Assistant for Data Center has collected.
 137

NOTE: Before the Data Center/Application button will work, you must perform some
configuration in both your Mist portal and your Juniper Apstra Cloud Services portal. See Access
Apstra Cloud Services.

Unlike the other actions on this page which expand in place, the Data Center/Application action button
launches a new browser window or tab that opens to the Marvis Actions page in your Juniper Apstra
Cloud Services portal. See Figure 1 on page 137.

Figure 1: Marvis Actions Page on Juniper Apstra Cloud Services Portal

 138

RELATED DOCUMENTATION

https://www.juniper.net/documentation/us/en/software/mist/mist-management/topics/task/mist-
to-apstra-link.html
https://www.juniper.net/documentation/us/en/software/juniper-apstra-cloud-services/user-guide/
topics/concept/datacenter-assurance-overview.html

Persistent Failures

SUMMARY IN THIS SECTION

Use the Actions dashboard to resolve issues with Persistently Failing Clients | 139
persistently failing clients.

When you click the Other Actions link on the Action dashboard, all available actions appear. Currently
there is only one type of action for this category: Persistently Failing Clients.

NOTE: Your subscriptions determine the actions that you can see on the Actions dashboard. For
more information, see "Subscription Requirements for Marvis Actions " on page 106.
 139

Persistently Failing Clients

Marvis identifies wired or wireless clients that continuously fail to connect due to a client-specific issue;
that is, the scope of failure isn’t the access point (AP), switch, wireless LAN (WLAN), or server. The
failure can be due to authentication failures from entering the wrong preshared key (PSK) or failures
caused by incorrect 802.1x configuration. Marvis displays the list of clients experiencing a failure and
the WLANs they are trying to connect to.

NOTE: After you fix this issue, the Persistently Failing Clients action automatically resolves
within an hour. As this action is considered low priority, Marvis does not list the Persistently
Failing Clients action in the Latest Updates section or on the Sites tab.

Video:

Anomaly Detection Event Card

SUMMARY

Use the Anomaly Detection Event Card for additional information about issues and actions.
 140

The Anomaly Detection Event Card provides a more detailed diagnosis about the anomalies for some of
the actions that Marvis suggests. The Event Card is available for these types of failures:

• Authentication Failures

• Domain Name System (DNS) Failures

• Dynamic Host Control Protocol (DHCP) Failures

Watch this video to see an example.

Video:

If an event card is available, you'll see a View More link, as shown in this example.

When you click View More, the card appears in a pop-up window. Here's a sample event card for an
authentication failure.
 141

The event card includes these sections:

• Timeline—The number of failure events at each point in time. Marvis highlights the anomalies with a
magnifying glass icon. Click the icon to select an anomaly and view the details.

• Summary—A description of each anomaly and the most likely cause. It also indicates if the clients
mostly failed on a certain radio band, access point (AP), or wireless LAN (WLAN). You can select
different anomalies by clicking their titles.

• Causes—A graphical representation of the relative impact of the AP, WLAN, and radio band. The size
of the circle indicates the correlation to failure, and the positions on the graph show the Failure
Likelihood and the sitewide impact. You can click a device to display the information in the Details
section.

• Details—A list of the impacted devices. The details change when you click a device type in the
Causes graph. For example, click the AP icon in the graph to see the details for the APs.
7 CHAPTER

Marvis Minis

Marvis Minis Overview | 143

Marvis Minis Dashboard Overview | 151

Add Custom URLs for Marvis Minis Validation | 156

Exclude VLANs from Marvis Minis Validation | 157

Disable Marvis Minis | 158

Network and Application Monitoring with Marvis Minis | 159

 143

Marvis Minis Overview

SUMMARY IN THIS SECTION

Get familiar with Marvis Minis and learn how it What Is Marvis Minis? | 143
proactively validates your network and application Software Requirements | 144
services.
Subscriptions for Marvis Minis | 144

Marvis Minis Tests | 144

Marvis Minis Validation Frequency | 148

Marvis Actions for Marvis Minis | 150

What Is Marvis Minis?

Marvis Minis is a network digital twin, which uses your network infrastructure to assess the network
connectivity and service reachability of your network. By proactively simulating user connections
through an access point (AP), Marvis Minis can help detect and resolve issues before they impact users.
Marvis Minis is always on and can be initiated on-demand.

Marvis Minis runs validations automatically at regular intervals. Marvis can also trigger Marvis Minis
validations automatically when it observes any imminent network service failures—even when users
aren't connected to the network. If Marvis Minis observes a network service failure, it revalidates the
failure and expands the validation scope of the failure to other APs and switches. By expanding the
validation scope, Marvis Minis can identify the overall impact of the issue—that is, whether the issue
impacts an entire site, a specific switch, WLAN, VLAN, server, or AP. Marvis Minis automatically scopes
and validates any changes (such as new device additions, configuration changes, and so on) related to
APs, switches, and WAN Edges.

Marvis Minis can run the validation across multiple sites in an organization or on a single site. Marvis
automatically learns about the active APs, VLANs, and the applications that are being used on each site.
This capability helps Marvis Minis to validate all user VLANs and specific APs without having to validate
all APs. Data from Marvis Minis also serves as an additional source of information for Marvis.

Dynamic packet capture, client insights, and Marvis Actions provide insights and details of a failure. With
these insights, you can identify the scope of the failure and resolve issues such as users being unable to
connect to the network. By simulating actual user experience in a constant contextual learned scope,
Marvis Minis identifies and resolves the same issue without putting additional stress on network
 144

services. For example, consider a site with 2000 APs connected to 200 switches. Marvis triggers Marvis
Minis on approximately 200 APs. Based on the failure that Marvis Minis observes, it expands the
validation scope to other APs only if necessary. This capability ensures that the network services do not
experience additional load.

This video provides an introduction to Marvis Minis.

Video:

Software Requirements

All Juniper Mist™ AP models support Marvis Minis. Marvis Minis is enabled by default on APs running
firmware version 0.14.29313 and later. Marvis Minis does not require any additional software or
external sensor hardware.

Subscriptions for Marvis Minis

Marvis Minis does not require a separate subscription. Any organization with an active Marvis for
Wireless subscription is automatically entitled for Marvis Minis support.

Marvis Minis Tests

Marvis Minis learns all the APs, WLANs, switches, and active VLANs in a site and automatically creates
the tests to run. Marvis Minis builds and updates its testing scopes for any new additions or changes in
the site such as adding new APs, WLANs, or VLANs.

Marvis Minis runs validations when you add a new site or upgrade the firmware of all the APs at an
existing site to the supported firmware version (0.14.29313). The automatic validations are run on an
hourly basis. You can also trigger a Marvis Minis validation manually by using the Test Now button on
the Marvis Minis site-level page.

Marvis Minis updates the scope every hour based on the active client VLAN and RRM details. The
Marvis Minis validation scope includes only the WLAN-to-VLAN mapping if no clients are connected to
the network.

Marvis Minis validates the following network services for all the active VLANs on the enabled wireless
LANs to ensure that the site is operational:
 145

• Dynamic Host Configuration Protocol (DHCP)

• Address Resolution Protocol (ARP)

• Domain Name System (DNS)

• Application reachability

Marvis Minis simulates a user connection on active user VLANs and validates the connectivity process
using the following steps:

1. Sends a DHCP request for a client VLAN and reports whether the VLAN obtains an IP address. The
AP sends both broadcast discovers and unicast renews.

2. Generates an ARP request for the gateway.

3. Resolves DNS queries against all the DNS server IP addresses received in the DHCP offer.

4. Verifies Internet reachability by validating application reachability. Marvis Minis verifies application
reachability by using default Internet connectivity URLs such as captive.apple.com,
connectivitycheck.gstatic.com, office.com, and teams.microsoft.com. Marvis Minis also validates
reachability for Office365. You can define custom user applications in the organization or site
settings.

5. Explicitly releases the DHCP lease on the tested VLAN.

NOTE: When the client VLAN is the same as the AP management VLAN, the AP would have
obtained an IP address already and resolved ARP. In such a scenario, Marvis Minis validates only
DNS and application reachability as part of the preconnect failure checks. It does not send a
DHCP request, nor does it revalidate ARP resolution for the AP management VLAN.
Here is an example that shows the Marvis Minis dashboard for this scenario. Notice that Marvis
Minis reports the status for only DNS and Application for the site KR-Site-01. If you hover your
mouse over DHCP and ARP, you’ll see the status as Not Validated.
 146

Here's the detailed view when you click the site.

If Marvis Minis detects any failure in DHCP, ARP, DNS, and application reachability on any VLAN, it
performs the following checks to understand the scope of failure—whether it is limited to an AP, a
switch, or an entire site:

1. Retests the connectivity on the failed AP.

2. Tests whether the issue occurs on another AP connected to the same switch.

3. Tests whether the issue occurs on an AP connected to a different switch.

4. Verifies whether the failure scope is limited to an AP, a switch, or a site for that VLAN.

In the following example, a site has 17 APs connected across 6 switches. The validation scope includes 6
APs - one AP connected to each switch and the relevant VLANs.
 147

The Switches > Topology page shows the six switches to which the APs are connected.

Here is the Marvis Minis page that shows the validation results:
 148

Marvis Minis Validation Frequency

Marvis Minis validations can be triggered either automatically or manually.

• Automatic validation—Marvis Minis runs the validation every hour even if no clients are connected to
the network. If only a few clients experience network failures, Marvis Minis runs a validation to
confirm whether the issue is specific to a client or whether it is a network issue.

• Manual (on-demand) validation—As an administrator, you can initiate an on-demand Marvis Minis
validation at any time. When a configuration change or hardware change occurs in the network,
administrators can click the Test Now button in the top-right corner of the Marvis Minis page to
initiate the validation immediately. Ensure that you have selected the site you want to test from the
site selector drop-down list.
 149

NOTE: At any point in time, Marvis Minis runs only one validation per site. If an automated
validation is in progress, you cannot trigger a manual validation.

Notice that the Live Minis Tests statistic shows a value of 1, which indicates that a validation is in
progress. The table also shows the progress of the validation. Also, note that the Created By column lists
User because the validation was triggered manually.
 150

Marvis Actions for Marvis Minis

Marvis constantly receives data observed by Marvis Minis. Marvis ingests this additional data and lists
Marvis Minis-detected failures under the Connectivity category on the Marvis Actions page. Marvis
Actions provides visibility into all the ongoing issues that impact user experience in an organization.
Here is an example that shows how a Marvis Minis-detected failure is listed as an action. Notice that
Marvis attributes the failure reason to Marvis Minis validation.

You can click the View More link to view the details and scope of the failure on the Marvis Minis page.
You can download the dynamic packet capture (.pcap) file for any Marvis Minis-observed failure in the
same way as you would for an end-user client. A paper clip icon adjacent to the AP name indicates that
dynamic packet capture is available for the AP. The following screenshot shows the location of the paper
clip icon. Click the Download (↓) button to access the packet capture.

Here is a sample of a downloaded packet capture:

 151

NOTE: After you fix the Marvis Minis detected issue, it might take up to 24 hours for the Marvis
action to be automatically resolved—that is, the issue is no longer listed on the Marvis Actions
page after 24 hours. This resolution time ensures that Marvis does not generate the same action
again and rules out reoccurrences of the same issue within 24 hours.

Marvis Minis Dashboard Overview

IN THIS SECTION

Organization-Level Marvis Minis Dashboard | 152

Site-Level Dashboard | 155

The Marvis Minis dashboard provides visibility into the validation results. To view the Marvis Minis
dashboard, select Marvis > Marvis Minis from the left menu of the Juniper Mist portal.

In this example, you’ll see the major elements of the dashboard:

 152

At the top of the page, you’ll see a graphical representation of the total validations executed, with the
green block indicating the number of successful validations. You can click each block to view the details
of each validation.

Directly below the graph, you’ll see the following statistics for the organization:

• Failed sites—Number of sites that failed the validation.

• Live Minis Tests—Number of validations that are being run currently. Marvis runs only one validation
per site at a time. You cannot trigger a manual validation when an automated validation is in
progress.

• Active Marvis Actions—Number of actions detected by Marvis Minis at the organization level.

The table at the bottom of the page displays the results that are based on the context you select—an
entire organization or a single site.

Organization-Level Marvis Minis Dashboard

Here is an example of the Marvis Minis dashboard view for an organization:

 153

The Sites tab displays all the sites in the organization. The table includes:

• Site—The name of the site where the validation was run.

• AP—APs on which Marvis Minis validation is triggered.

• Tests—The number of times the validation was run on the site for the selected timeline (automated
and triggered).

• Marvis Actions—Lists the number of Marvis Actions detected by Marvis Minis for the site.

• Network and application services—Marvis Minis provides the validation results for a site for the
following network and application services:

• DHCP

• ARP

• DNS

• Application connectivity

You can view the details of each validation run on a site by clicking the site name. In this example, you
can see the validations run on a site.
 154

The Created By column indicates who initiated the validation:

• Marvis—Indicates that Marvis initiated the validation automatically

• User—Indicates that a user initiated the validation manually

You can also use the Filter option to view specific validations. In the following example, we show you
the filtered results for tests run on a specific date.

To view more information about each validation, click each row. You’ll see the details for a validation.
The table lists all the APs at the site, the switch to which each AP is connected, VLANs, LLDP port
information, and the status for DHCP, ARP, DNS, and application connectivity.
 155

Site-Level Dashboard

Here's an example of the Marvis Minis page for a site. In this case, as it is a single site, you’ll see only the
validations run on that site. You can click each row to view the details as described in the previous
section.

Here's an example of a validation that detected an ARP failure on one of the APs.
 156

Marvis Minis retests each failure for confirmation. It also expands the scope to additional APs to identify
whether the failure is limited to a specific VLAN, AP, or switch or whether it is a sitewide issue.

Add Custom URLs for Marvis Minis Validation

Marvis Minis runs the validation on a set of default URLs. As an administrator, you can add Amazon Web
Services and Microsoft Azure workload application URLs for inclusion in the validation. To add custom
URLs:

1. From the left menu of the Juniper Mist portal, select Organization > Settings.
2. Navigate to the Marvis Minis section on the Organization Settings page.
3. Click Add Custom URLs.
 157

4. Enter the URL or fully qualified domain name (FQDN) of the site and the VLANs that you want
Marvis Minis to validate.
5. Click Add.
6. Click Save in the top-right corner of the Organization Settings page.

Exclude VLANs from Marvis Minis Validation

You can add a list of all the VLANs for which you do not want Marvis Minis to run an application
reachability check. To exclude VLANs:

1. From the left menu of the Juniper Mist portal, select Organization > Settings.
2. Navigate to the Marvis Minis section on the Organization Settings page.
3. In the Excluded VLANs field, enter the VLANs that you want Marvis Minis to exclude during the
validation.
 158

4. Click Save in the top-right corner of the Organization Settings page.

Disable Marvis Minis

Marvis Minis is enabled by default on all sites with APs running firmware version 0.14.29313 and later.
You can opt to disable Marvis Minis for a specific site or organization. Note that the site-level settings
override the organization-level settings.

To disable Marvis Minis:

1. From the left menu of the Juniper Mist portal, select Organization > Settings if you want to disable
Marvis Minis at the organization level.

If you want to disable Marvis Minis at the site level, then select Organization > Site Configuration.

2. Navigate to the Marvis Minis section.

3. Select the Disable Marvis Minis check box.

 159

4. Click Save in the top-right corner of the page.

You can re-enable Marvis Minis any time at the organization level or site level by clearing the Disable
Marvis Minis check box. You can re-enable Marvis Minis at the site level only if Marvis Minis is enabled
at the organization level.

Network and Application Monitoring with Marvis

Minis

IN THIS SECTION

View the Marvis Minis Timeline in the Successful Connect SLE | 160

View Site Insights for Marvis Minis | 161

View System Events for Marvis Minis | 161

 160

Juniper Mist™ uses data from Marvis Minis to analyze the end-user experience and provides the overlay
of Marvis Minis runs in the wireless service-level expectation (SLE) dashboards. You can use the
information to analyze connectivity failure trends and manage your network proactively by identifying
issues before they escalate to a larger issue affecting the end-user experience.

View the Marvis Minis Timeline in the Successful Connect SLE

The Successful Connect SLE for wireless provides a timeline that shows the actual failed connection
attempts for connected users to indicate the connection failure trend. If Marvis Minis is enabled for your
organization, the timeline includes Marvis Minis-observed failures. You can analyze the information to
correlate the Marvis Minis-reported failure and end-user-reported failures.

To view the Marvis Minis timeline:

1. Select Monitor > Service Levels from the left menu of the Juniper Mist portal, and then select the
Wireless tab.
2. Scroll down, click the Successful Connects metric, and then select the Timeline tab.
Here's a sample timeline that shows the Marvis Minis-observed failures. The timeline highlights the
validations run and the failures observed against connection attempts. In this example, notice that
Marvis Minis made 24 DHCP requests and all the requests failed. The example also highlights the
fact that Marvis Minis runs validations even when no users are connected to the network.
 161

View Site Insights for Marvis Minis

Every time Marvis Minis runs a network validation, it updates the site events to provide a high-level
audit of the validation. You can view the site events on the Insights dashboard. You can view more
details on the Marvis Minis dashboard for the site.

To view the Insights dashboard:

1. Select Monitor > Service Levels from the left menu of the Juniper Mist portal.
2. Click the Insights tab at the top of the Monitor page.
3. Select the site and the duration for which you want to view the details.
Here's an example that shows the site events captured for a Marvis Mini validation.

View System Events for Marvis Minis

Mist displays all Marvis Minis connectivity validations executed on a site as part of the system events.
With this information, you can keep track of the connectivity validations from the Wireless SLE page.

Select Monitor > Service Levels from the left menu of the Juniper Mist portal, and then select the
Wireless tab.
 162

You'll see the timeline for System Changes as shown here. This example shows the audit for a Marvis
Minis connectivity validation for DHCP.

You can also access the System Changes information from the Successful Connect Timeline view.
8 CHAPTER

Conversations and Queries

Marvis Conversations and Queries Overview | 164

Marvis Conversational Assistant | 164

Marvis Query Language | 168

 164

Marvis Conversations and Queries Overview

You can interact with Marvis by using the Marvis Conversational Assistant or by entering structured
queries using the Marvis Query Language.

With both of these approaches, you can get information about your network, and you can troubleshoot
issues in real time.

• To use the Conversational Assistant—Click the Marvis icon at the top-left corner or bottom-right
corner of the Juniper Mist portal. For more information about the conversational assistant, see
"Marvis Conversational Assistant" on page 164.

• To use the structured query language—Select Marvis in the left menu of the Juniper Mist™ portal,
and then click the Ask a Question button at the top-right corner of the Marvis Actions dashboard.
For more information about the query language, see "Marvis Query Language" on page 168.

Marvis Conversational Assistant

SUMMARY IN THIS SECTION

Get started using the Marvis Conversational Video Demo | 165

Assistant to get information about your network, Requirements | 165
troubleshoot issues, and find documentation.
Finding the Conversational Assistant | 165

Using Natural Language | 166

 165

Following Prompts | 166

The conversational assistant offers help by using natural language processing (NLP) and natural language
understanding (NLU) capabilities. It continues to improve its responses by learning from user feedback.

Marvis can:

• Provide information about sites, devices, clients, and applications

• Help troubleshoot issues with sites, devices, clients, and applications

You can interact with the conversational assistant by following prompts or by entering questions and
statements like you would in a normal conversation. For example, you can ask, “How many switches are
connected?” or “How is the primary site working?”

Video Demo

Watch a user interact with the Marvis conversational assistant.

Video:

Requirements

To use the conversational assistant, you must:

• Meet the subscription requirements. For more information, see "Subscription Requirements for
Marvis Actions " on page 106.

• Have a user account with permission to access all sites in your organization.

Finding the Conversational Assistant

Click the Marvis icon at the top-left corner or bottom-right corner of the Juniper Mist portal.
 166

Using Natural Language

Click the Marvis icon, and then enter your question or concern in the Message box at the bottom of the
Marvis window.

Following Prompts

Click the Marvis icon, and then click one of the buttons that Marvis displays.
 167

The initial prompts include:

• Troubleshoot—Click this option to troubleshoot issues with a site, application, device, and wired or
wireless client.

• Search—Click this option to search for users, devices, and sites.

• Documentation—Click this option to search for documentation.

• Marvis Actions—Click this option to see pending actions from the Actions dashboard.

After you respond to a prompt, Marvis continues the conversation by displaying another prompt. In the
following example, you can see the interaction between Marvis and a user who wants to troubleshoot
issues with a site.
 168

NOTE: You can also access the conversational assistant from the support ticket creation page to
quickly troubleshoot impacted sites, devices, and clients before submitting a support ticket. For
more information, see Create a Support Ticket.

Marvis Query Language

SUMMARY IN THIS SECTION

Start using the Marvis Query Language to structure Troubleshoot Using Marvis Query
queries that pull data from Marvis. Language | 171

Client Roaming Visualization | 178

The Marvis Query Language provides a structured framework for querying Marvis to get data that helps
you monitor or troubleshoot your network. You can use queries to quickly find details about an event or
failure in your network and about the affected devices.
 169

Video Demo

Video:

Marvis Query Language Structure

A query can contain the following elements:

• Query Type—Defines what you want Marvis to do (for example, COUNT, LIST, RANK, LOCATE, or
TROUBLESHOOT).

• Value—Specifies a unique value that is specific to an organization, such as a client's name.

• Query Object—Indicates Mist-defined objects (for example, APEvents, ClientEvents)

• Clause—Acts as a qualifier for the overall query (for example, of, with, or by).

• Filter Type—Narrows the results based on pre-defined filter types.

You can also add a duration to the end of a Marvis query. Note that you need to press the space bar
after entering each element to see the available options.

Finding the Marvis Query Page

Select Marvis in the left menu of the Juniper Mist™ portal, and then click the Ask a Question button at
the top-right corner of the Marvis Actions dashboard.

Entering a Structured Query

Marvis guides you step by step to enter the required elements in the query.

To get started, click in the Enter a query text box. Then click one of the options in the drop-down menu.
 170

After you click an option, it appears in the query box. Press the space bar, and Marvis displays the
available options. Here's an example of the options for the LIST query type.

Continue pressing the space bar and selecting options until you've entered a complete query. Here's an
example of a RANK query that ranks clients based on the authentication failures:
 171

For more information about useful queries, see "Troubleshoot Using Marvis Query Language" on page
171.

Troubleshoot Using Marvis Query Language

SUMMARY IN THIS SECTION

Use these examples to see how you can use Marvis View Event and Device Details | 171
queries to monitor and troubleshoot your network. View Roaming Details of a Client | 175

View Status of a Client | 175

Troubleshoot APs, Sites, or Clients | 175

Locate APs, Sites, or Clients | 177

View Channel Utilization of an AP | 177

View Event and Device Details

To troubleshoot problems and understand network behavior, you might need to look at event details or
device details. You can use the LIST query to view details for the following:

• Access points (APs)

• Clients (including wired clients)

• Switches
 172

• AP events

• Client events

• Switch events

• Mist Edges

• Mist Edge events

Table 11 on page 172 and Table 12 on page 173 provide a few LIST queries that you can use as a
reference to build queries based on your requirements.

Table 11: Key LIST Queries to View Events

If you want to view Use

Client events for an AP during a specific time interval LIST ClientEvents WITH AccessPoint <AP name>
DURING <time duration>

All events for an AP LIST ApEvents WITH AccessPoint <AP name>

Events of a specific type for an AP LIST ApEvents WITH ApEventType <event-type>

AND AccessPoint <ap-name>

All events for a switch LIST SwitchEvents WITH Switch <switch name>

Events of a specific type for a switch LIST SwitchEvents WITH SwitchEventType <event-
type> AND Switch <switch-name>

All events for Mist Edges at a specific site LIST MistEdgeEvents WITH Site <site-name>

The following example shows the events for all clients associated with a particular AP. To view more
details about an event, you can click the arrow in the first column of the table.
 173

This example shows the list for a specific event type:

Table 12: Key LIST Queries to View Devices

If you want to view Use

Switches of a particular model in a site LIST Switches WITH Model <model number> AND
Site <site name>

Clients connected to an AP LIST Clients WITH AccessPoint <AP name>

APs of a specific model in a site LIST APs WITH Model <model number> AND Site
<site name>

All the wired clients in a site LIST WiredClients WITH Site <site name>

Mist Edges in a site LIST MistEdges WITH Site <site name>

 174

The following example shows the output for a LIST query. Note that you can enter a partial IP address to
search for devices in specific subnets. For additional actions, you can click the More Options icon at the
top-left corner of the table.

In addition to the LIST query, you can use the COUNT query to get a count of events or devices that
match the query. The COUNT query uses the same structure as the LIST query. Here is a screenshot
that shows a sample output for the COUNT query. You can click VIEW EVENT LIST to see the event
details.
 175

View Roaming Details of a Client

You can use the ROAMINGOF query to see a graphical view of a client roaming between different APs.

ROAMINGOF <client name> DURING <time interval>

View Status of a Client

The STATUSOF query provides an overview of clients that are facing connectivity issues in a site or
wireless LAN (WLAN). The query output displays a ranked list of clients, starting with the clients
experiencing the greatest number of issues. With this query, you can quickly identify clients facing
connectivity issues in your site. You can use this query at the start of a troubleshooting session to
identify the affected clients. You can then drill down into the client details to find the root cause of the
issue. You can click a client to look at its service levels or insights, or to initiate the TROUBLESHOOT
query on Marvis.

STATUSOF Clients WITH Site <site name>

You can also view clients facing specific problems such as coverage issues, throughput problems,
connectivity issues, and so on. For example, the query STATUSOF Clients WITH Problem Capacity lists
all clients experiencing capacity issues in your organization.

Troubleshoot APs, Sites, or Clients

Table 13 on page 176 lists a few TROUBLEHOOT queries that you can use to troubleshoot a site, a
client, or an AP.
 176

Table 13: TROUBLESHOOT Queries

If you want to troubleshoot Use

A client, an AP, or a site TROUBLESHOOT <client/site/AP name>

A wireless client, an AP, or a site facing connectivity TROUBLESHOOT <client/site/AP name> WITH
issues Problem SlowToConnect
TROUBLESHOOT <client/site/AP name> WITH
Problem UnableToConnect

A wireless client, an AP, or a site facing connectivity TROUBLESHOOT <client/site/AP name> WITH
issues for a specific duration Problem UnableToConnect DURING <time duration>

The following screenshot shows the output for the TROUBLESHOOT <site name> WITH Problem
UnableToConnect query. You'll see that Marvis provides data such as the cause of the issue, the band,
and the WLAN on which the issue occurred.
 177

You can drill down into more details by clicking each of the categories. If you click the Service Levels
category, Marvis provides more details about the issue as shown in the following screenshot:

Locate APs, Sites, or Clients

You can use the LOCATE query to find your site, AP, or client. The query output displays a map view of
the site location that you configured in Organization > Site Configuration. For APs and clients, Marvis
shows the location of these devices on your floorplan. Marvis also displays additional information and
provides links to the Insights, Service Levels, and Troubleshoot pages.

View Channel Utilization of an AP

You can use the UTILIZATIONOF query to view the channels that an AP is broadcasting and the usage
levels between the 2.4 GHz, 5 GHz, and 6 GHz bands. You can click Show Channels to see a breakdown
 178

of all specific channels that the AP uses.

Client Roaming Visualization

SUMMARY

Gain additional insights by using the ROAMINGOF query to view the client roaming status.

Marvis provides a visualization of your device’s roaming history and behavior. It includes information
about the access points (APs) and radio bands the device connects to, and the received signal strength
indicator (RSSI) values of the connection. Marvis uses the data from Client Events to provide a visual of
the path your device takes and its transitions between various APs. Marvis indicates a Bad roaming
status when the RSSI is low and a warning roaming status when the client switches to a different radio
band or wireless LAN (WLAN) while roaming.

You need to use the Marvis query (ROAMINGOF) to view the client roaming status. If you want to get a
more detailed view of the visualization, you can zoom in. Use the magnifier buttons on the top right of
the timeline or click and drag your cursor in a particular section to zoom in on a specific time interval.
 179

Marvis highlights information such as the roaming status, RSSI value, and transitions, to improve
troubleshooting. The dots you see in this screenshot indicate Transient Associations, which means that
the device was associated with the AP for a very short time.

Here is a zoomed-in view of transient associations in the 9:45 a.m. – 9:54 a.m. time interval.
 180

You can hover over the roaming status icons on the timeline to view detailed information about the
roaming event, such as the WLAN, channel, band, and RSSI. Here you can see that the client
experienced a good roaming event between the APs at 9:49 a.m.
 181

Here's an example of a bad roaming event. Notice that Marvis indicates a low RSSI for this event.
 182

In the following screenshot, you can see that the client switched from the 5 GHz radio band to the 2.4
GHz band while roaming. Marvis displays the roaming status as Warning.
183
9 CHAPTER

Marvis Android Client

Marvis Android Client Overview | 185

Install the Marvis Android Client | 187

Marvis-Zebra Integration | 195

 185

Marvis Android Client Overview

SUMMARY

Get familiar with the benefits of the Marvis Android Client.

You can use the Marvis Android client to view your network from the client's perspective. View detailed
data and telemetry about how the client experiences the wireless connection, including insight into
client roaming behaviors. The Marvis client recognizes connection types (cellular or wireless) and the
corresponding signal strength.

NOTE: To use the Marvis client, you must install it on a compatible device and connect your
device to a Juniper Mist AP. You also must have a Marvis subscription. For more information, see
"Subscriptions for Marvis" on page 99.

The Marvis client provides an additional layer of detail by displaying device type, manufacturer, and
operating system, as follows:

• Detailed wireless properties: Mist’s device fingerprinting provides the manufacturer, device type, and
OS of the device. The Marvis client enhances this visibility by providing the OS version along with
the radio hardware (adapter) and firmware (driver) versions. This level of visibility helps you identify:

• Exceptions in terms of a device with different properties (such as the OS, radio hardware, and
firmware) when compared to other devices of the same type.

• Device-generic issues (for example, issues due to a firmware version).

• Coverage issues due to asymmetry: A Mist access point (AP) indicates the received signal strength
indicator (RSSI) at which it detects a client. The Marvis client provides the RSSI at which the client
detects the AP. This data helps you identify asymmetries in the power level between the client and
AP. You can then resolve asymmetries that could result in a poor connection.

• Connection type: You can see when the device switches between a wireless and a cellular
connection type, along with the corresponding signal strength.

• Roaming behavior: Roaming decisions and how a client decides to connect to an AP on a specific
band is a client decision. The Marvis client provides visibility into how the client detects the
neighboring APs.
 186

You can view all connected Marvis clients directly on the Mist portal on the WiFi Clients page (Clients >
WiFi Clients > Marvis tab). You can view a graphical representation of your Marvis clients and their
detailed information including manufacturer, device type, OS version, and radio hardware and firmware.
You can see the current and historical snapshots of the connected clients in a specific site.

You can select either the Tree or List view to display your Marvis clients, as follows:

• Tree view: Groups clients based on their properties. Marvis classifies the clients by manufacturer,
device type, OS version, radio hardware, and radio firmware. The tree view displays the total number
of Marvis clients for the specified site and time range. It also highlights possible outliers that do not
conform to the properties seen for other clients with the same manufacturer or device type.

• List view: Presents client information in a tabular format. The default columns include user,
hostname, MAC address, manufacturer, device type, device OS, radio hardware, radio firmware, and
client-reported RSSI value. The list view displays up to 50 clients on a single page. You can navigate
between pages by using the arrow buttons located on the top-right corner of the list.

You can filter the list view by entering keywords in the search filter located at the top-left corner of
the list. You can also filter the list view by clicking any client property in the tree view. When you
click a property, the selected property and the path from the root property to the selected property
are highlighted. You can then see the applied filters above the list view.
 187

We support the Marvis client on Android handheld devices and smartphones running OS 6.0 and higher
versions.

Install the Marvis Android Client

SUMMARY IN THIS SECTION

Complete the pre-install tasks, and then choose the Requirements | 187
method that you want to use to install the Marvis Before You Begin | 188
Android Client on your Android device.
Deploy the Marvis Client Using the SOTI
MDM | 189

Deploy the Marvis Client Using AirWatch or

VMWare Workspace ONE | 190

Deploy Marvis Client Using Other

MDMs | 191

Install Through Sideloading | 192

Verify the Installation | 194

Requirements

Juniper Networks® supports the Marvis client on Android handheld devices and smartphones running
OS 6.0 and higher versions.
 188

NOTE: For information about the capabilities of the Marvis Client, see "Marvis Android Client
Overview" on page 185.

Before You Begin

Before you start the installation:

• Configure your network firewall settings to allow the Marvis client to connect to your Mist
organization.

If your Mist organization resides in Amazon Web Services (AWS) cloud (default), use the following
settings:

• wss://client-terminator.mistsys.net:443/ws or protocol WSS (websocket) port 443 for domain/

path

• https://api.mist.com

or HTTPS protocol port 443 for domain

If your Mist organization resides in Google Cloud Platform (GCP) cloud, use the following settings:

• wss://client-terminator.gc1.mist.com/ws or protocol WSS (websocket) port 443 for domain/path

• https://api.gc1.mist.com/

or HTTPS protocol port 443 for domain

NOTE: If your Mist organization resides in a cloud other than AWS or GCP, contact the
support team for the appropriate URLs to configure the firewall settings.

• Obtain your secret token or QR code to onboard your Marvis client.

1. Go to Organization > Mobile SDK in the Mist portal to locate your secret token or QR code.
 189

2. Click View to see the QR code.

If an invitation doesn’t exist, you can create one by using the Create Invitation button in the top-
right corner. You'll need to enter a name for your organization invitation.

Deploy the Marvis Client Using the SOTI MDM

To deploy the Marvis client using a mobile device management (MDM) solution, you must customize the
Android package kit (APK) package deployment. You customize the APK deployment with the Intent
action to set the secret software development kit (SDK) token upon installation. When you launch the
customized application package, the client will be fully preconfigured and onboarded for operation.

You can onboard the Marvis client using the SOTI MDM.

NOTE: We do not present the overall generic Android application deployment process with SOTI.
We present only the information necessary to customize the Android application to complete the
client deployment.

Before you begin:

1. Ensure that you have a Windows device or a virtual machine (VM). You will run Package Studio,
which runs only on Windows devices.

2. Download SOTI’s MobiControl Package Studio (McStudio.exe).

To deploy the Marvis client using MDM:

 190

1. On your Windows device or VM, launch Package Studio and create a package project with the
following settings:

• Processor—All (unless targeting specific CPU or device types)

• Platform—Android

• OS Version—5 to 13 (unless you want to use a specific version)

• Version String—Set to the same versioning as the APK version

• Vendor—Mist Systems, Inc.

• Optional space requirement specifications

2. Add the Marvis client APK.
3. Add the following Script file:

• Script Engine—Legacy

• Script Type—Post-Install
4. Import the script file. The script file must have the following content:

sendintent -a "intent:#Intent;
action=android.intent.action.MAIN;component=com.mist.marvisclient/.MainActivity;S.MOBILE_SDK_S
ECRET=TheSecretValueHere;end;"

If you have configured a specific port on a Zebra device for voice calls, then the script file must have
the following content:

sendintent -a "intent:#Intent;
action=android.intent.action.MAIN;component=com.mist.marvisclient/.MainActivity;S.MOBILE_SDK_S
ECRET=TheSecretValueHere;S.MOBILE_VOICE_CALL_PORT=5070;end;"

5. Build the package.

When you deploy the customized package with SOTI, the Marvis client is preconfigured and onboarded.

Deploy the Marvis Client Using AirWatch or VMWare Workspace ONE

We do not cover the overall generic Android app deployment process with AirWatch. We only cover the
specific steps needed to complete the agent deployment.
 191

Use the following intent command to deploy the agent:

mode=explicit,broadcast=false,action=android.intent.action.MAIN,package=com.mist.marvisclient,cla
ss=com.mist.marvisclient.MainActivity,extraString=MOBILE_SDK_SECRET=TheSecretValueHere

If you have configured a specific port on a Zebra device for voice calls, then use the following content:

mode=explicit,broadcast=false,action=android.intent.action.MAIN,package=com.mist.marvisclient,cla
ss=com.mist.marvisclient.MainActivity,extraString=MOBILE_SDK_SECRET=TheSecretValueHere,extraStrin
g=MOBILE_VOICE_CALL_PORT=5070

You can use the following references to deploy the intent command:

• Configuring Automatic Launch for Android Mobile Devices if you have already deployed the Marvis
client on the device

• RunIntent Action, File-Action Android for new deployments of our APK installer on devices

Deploy Marvis Client Using Other MDMs

If you are using any other MDM, verify that the MDM supports intent execution. If the MDM does not
support intent deployment, then you can use the sideloading procedure described in "Install Through
Sideloading" on page 192. Here is another example for ADB based (developer/debug) deployment that
you can use to adapt to an MDM of your choice:

adb shell am start -n "com.mist.marvisclient/com.mist.marvisclient.MainActivity" -a

android.intent.action.MAIN -c android.intent.category.LAUNCHER --es "MOBILE_SDK_SECRET"
"TheSecretValueHere" -t "text/plain"

If the MDM solution does not support execution of Android intents, you might need to onboard each
deployed client device manually.
 192

Install Through Sideloading

NOTE: Follow this procedure for internal use, development, testing, or debugging. This process is
not for official customer deployments. However, you can use this procedure in cases where the
MDM solution does not support executing Android Intents to automatically configure the secret
token on installation.
This procedure requires manual intervention for each device being onboarded.

1. Install the APK on the device. You can use Android Debug Bridge (ADB), MDM, or file manager (local
device storage or an SD card containing the APK).
2. Open the Marvis client application on the device.
3. Tap the Marvis icon 7 times to open a special debug menu.

For Zebra devices, the debug menu shows the port that is configured for voice calls.
 193

4. Onboard the client using the secret code or scan code:

To use the QR code:

a. Tap the Scan Organization button to open the camera and scan the invitation QR code. Provide
the necessary permissions.

b. When the QR code is scanned, the matching secret token value is inserted into the Secret field.

The secret value is applied to the Marvis client automatically. A message appears indicating that
the value is applied.
 194

To use the secret code:

a. Type or paste the secret token value in the Secret field. The default value of Secret is empty.

b. Tap the gray Start Marvis button to apply the changes.

A message appears indicating that the value is applied.

You have successfully onboarded the Marvis client.

Verify the Installation

After you install and onboard the Marvis client, verify that those processes have run correctly.

To verify the installation:

• Confirm that the secret token value is added correctly. Close the Marvis client process and then
launch it again. Open the debug menu by tapping the Marvis icon 7 times, and verify that the secret
token value is still stored in the field.
If the secret token field is empty and the data does not persist, enter the secret token value manually,
as described in "Install Through Sideloading" on page 192. You might also need to configure the
application deployment to retain the application data.

• About 15 minutes after you onboard the Marvis client, confirm that the Marvis client data is available
on the Mist dashboard. You need to wait for a minimum of 10 minutes after onboarding the Marvis
client for the data to propagate to the Mist cloud.
If the data is not available in the Mist dashboard, a problem occurred in the client workflow of
collecting data and sending it to the Mist cloud. Contact the support team. If you are able to use
tools such as logcat or Android Debug Bridge (ADB), then you can use them to collect the Marvis
client logs and share the logs with the support team.

For Zebra devices, use the RxLogger tool to collect logs.

When you contact the support team, you must share the Marvis client UUID. You can find the UUID
on the Marvis client debug mode screen. The UUID is used to track the data flow from the Marvis
client to the Mist cloud.
 195

Marvis-Zebra Integration

SUMMARY IN THIS SECTION

Explore the benefits of integrating the Marvis Overview | 195

Android Client with Zebra Wireless Insights. Connection Events | 195

Roaming Events | 196

Voice Events | 197

Overview

The Marvis client works with Zebra Wireless Insights to provide enhanced visibility into networking and
connectivity. Zebra Wireless Insights is a service built into Zebra Android devices that provides insights
into the data, voice, and roaming events of Zebra devices. Zebra devices can directly capture client
events on the end-user side without you having to run any additional tests. Combined with the existing
event reports captured by the Mist access points (APs) and the Marvis client, these client event reports
deliver a holistic view of the network and client activity.

You can view client-reported events by using the Client-Reported tab under the Client Events section of
your Zebra device’s Client Insights Dashboard. You can switch between AP-reported events and client-
reported events by using the tabs. If your Zebra device has no client events to report, the tab is hidden.

NOTE: To view client events from your Zebra device, the device must have a valid Wireless
Insights license and the Marvis Android Client (V33.x or later) installed.

Connection Events

Mist APs provide visibility into user pre-connection and post-connection states. The Marvis client
leverages Zebra Wireless Insights to get more information about connection states, including detailed
visibility into connection events and their causes. You can view details about client connection and
disconnection events. For example, you can decipher what happens when a device tries to connect,
roam, or disconnect.
 196

Here is a sample event and the condition that triggered the event:

Disconnect Suppression Triggered: The device-management path is still active with the AP. However, the
data path is blocked—the device neither sends nor receives data from the AP. During this period, the
data tries to roam to a new AP or reconnect to the same AP. On a successful roam or reconnection to an
AP, the data path or connection resumes (indicated by the Disconnect Suppression Completed event).

Roaming Events

The Marvis client provides the roaming journey of every device with the RoamingOf query. With Zebra
Wireless Insights, you can get insights into what triggered the roam, such as poor coverage area.
 197

Voice Events

You can view and analyze information about voice calls made using Zebra devices. The Marvis client
provides details about when the call began and ended, along with the call performance. You can view a
summary of voice events both during the call and after it ends.

Zebra Wireless Insights measures the performance in terms of packet loss, latency, jitter, VoIP link
quality, and Wi-Fi link quality. The Mist cloud receives this data from the Marvis Client and displays the
data on the Insights page for a client. You can also see the description and reason for events that
occurred during the call, which provides additional insight into the experience from the client’s
perspective.
198
10 CHAPTER

Marvis App for Teams

Overview of the Marvis App for Microsoft Teams | 200

Enable or Integrate the Marvis App in Microsoft Teams | 200

Install the Marvis App in Microsoft Teams | 203

Troubleshoot Using the Marvis App | 211

Search and List Functions in the Marvis App | 219

View or Change the Organization in the Marvis App | 223

 200

Overview of the Marvis App for Microsoft Teams

SUMMARY

You can access Marvis from your Teams desktop or web client.

The Marvis Microsoft Teams app makes it easy for you to access Marvis directly from your Teams
desktop or web client. The Marvis app is integrated with Microsoft Teams. You can use the app to search
for devices, view details, troubleshoot your network and sites, and search for documentation without
having to log in to the Juniper Mist™ portal. With the Marvis app, all the information is available on
demand, right at your fingertips!

Using the Marvis app, you can log in to your organization and access information similar to how you
would access the information in the Mist portal. Network Operation Center (NOC) users can use the app
to debug all aspects of support tickets.

You can use the Marvis app as an individual user or as part of a team through a Teams channel.

This short video describes the Teams integration.

Video:

Enable or Integrate the Marvis App in Microsoft

Teams

SUMMARY IN THIS SECTION

Your Microsoft Teams administrator can enable or Enable the Marvis App in Your Teams
integrate a third-party application such as Marvis in Environment | 201
Teams. This topic provides the procedures to
integrate the Marvis app in Teams.
 201

Add the Permission Policy for the Marvis

App | 202

Assign the Policy to Users | 202

Go through these steps to enable the Marvis app, add the permission policy, and assign the permission
to the users.

NOTE: The steps might vary based on updates and changes Microsoft makes to the Teams
Admin Center. We recommend that you refer to the Microsoft documentation if the following
steps look different from what you expect.

Enable the Marvis App in Your Teams Environment

To enable the Marvis app in your Teams environment:

1. In your web browser, navigate to the Microsoft Teams Admin Center (https://
admin.teams.microsoft.com).
2. Log in using your administrator account (Teams admin or Global admin) credentials.
3. From the left menu, select Teams apps > Manage apps.
 202

4. On the Manage apps page, search for Marvis.

You'll see the Marvis app listed with the status as Blocked.
5. Click the Marvis app.
6. On the Marvis details page, change the status to Allowed.

The Marvis app is now enabled in your Teams environment.

Add the Permission Policy for the Marvis App

Permission policies allow you to control which users can use the Marvis app. You can control the access
by creating and applying the policy to specific users. You can either create a policy or edit the default
policy. We recommend that you create a policy.
To add the permission policy for the Marvis app:

1. From the left menu of the Microsoft Teams Admin Center window, select Teams apps > Permission
policies.
2. Click Add. Provide a name and description for the policy.
3. Under Third-party apps, select an option that suits your organization's requirement. We recommend
that you select Allow specific apps and block all others. This option enables you to select the apps
that you want to allow in your Teams environment.
4. Click Allow apps.
5. Search for the Marvis app.
6. Select the Marvis app from the search results and click Add.
7. Click Allow.
8. Click Save.

Assign the Policy to Users

You can assign the policy to specific users or to a group of users.

To assign the policy to users:

1. From the left menu of the Microsoft Teams Admin Center window, navigate to the policy page.
2. To assign the policy to specific users:

a. Select the policy, click Manage users, and then click Assign users.

b. Add the users and then click Apply.

 203

NOTE: If you want to assign the policy to all users in your organization, modify the Global policy
to allow the Marvis app. However, we do not recommend modifying the Global policy because it
affects all users in your organization.

After you assign the policy, the Marvis app will be available to the users or Teams channels based on the
assigned permission policy.

Install the Marvis App in Microsoft Teams

SUMMARY IN THIS SECTION

Follow these procedures to install the Marvis app,
connect it to your Juniper Mist™ organization, and
add the app to a Teams channel.
Install the Marvis App in Teams | 203
Connect to Your Mist Organization | 205
Add the Marvis App to a Microsoft Teams
Channel | 209

Teams users can install and use the Marvis app only if the administrator allows the app in the Teams
environment. Additionally, the administrator must make the app available to users through permission
policies. See "Enable or Integrate the Marvis App in Microsoft Teams" on page 200.

Install the Marvis App in Teams

To install the Marvis app in Teams:

1. From the left pane of your Microsoft Teams window, select Apps.
2. Enter Marvis in the Search box and click the Search icon.
You'll see the Marvis app listed in the search results.
3. Select the app and click Open.
 204

You'll see the following window, which indicates that you have successfully installed the app:
 205

4. Next, you'll need to connect to your organization in the Mist portal.

Connect to Your Mist Organization

To connect to your Mist organization:

1. Enter the following details to log in to your organization:

• Cloud environment name (for example, Global 01, Global 02). You can obtain this information
from the Mist portal login screen.
 206

• Organization ID (Org ID)

You can find your Org ID on the Organization > Settings page in the Mist portal.
 207

• Org Token

You can generate the Org token on the Organization > Settings page in the Mist portal. The Org
token operates like the user-based API token, but it is tied to a particular organization. Org token
permission is based on the Access Level and Site Access options you select.

To create a token:

a. Click Create Token under the API Token section on the Settings page.

b. Enter a name and click Generate. The generated key is the Org Token.
208
 209

2. Click Connect. A successful connection displays the following window:

Add the Marvis App to a Microsoft Teams Channel

You can add the Marvis app to a Microsoft Teams channel as a team member. Members of that Teams
channel can then query Marvis for information.

Before you add Marvis to a Teams channel, you must install the app in Teams and connect the app to the
organization, as described in the previous sections.

To add the Marvis app to a Microsoft Teams channel:

1. In the left pane of your Microsoft Teams window, select Apps.

2. Enter Marvis in the Search box and click the Search icon.
You'll see the Marvis app listed in the search results.
3. Click the app and select Add to a Team.
 210

4. Select the Teams channel.

 211

That's it! You and your team members can start asking Marvis questions.

5. Use the @marvis prompt to enter your first question.

Troubleshoot Using the Marvis App

SUMMARY IN THIS SECTION

Follow these procedures to troubleshoot issues with Troubleshoot a Wireless Client | 212
wireless and wired clients, devices, and sites. Troubleshoot a Wired Client | 213

Troubleshoot a Device | 213

 212

Troubleshoot Unhappy Devices or

Clients | 215

Troubleshoot a Site | 217

Troubleshoot a Wireless Client

Using the Marvis app, you can view failures of a wireless client and its associated access point (AP).

To check whether a wireless client is experiencing any issues, enter a phrase such as "Troubleshoot client
name" in the Teams window.
Here's an example that shows the details Marvis provides for the phrase "troubleshoot client
name." In this case, Marvis reports that the client is experiencing an authorization error due to a
connection timeout.

You can click the issue to view details. You can click the Client Insights or Failure Timeline option
for more details. In some cases, Marvis also provides recommendations to fix the issue, as the
screenshot shows.
 213

Here are some sample phrases that you can use to troubleshoot wireless clients:

• how was <client name> on June 22nd

• tshoot client <mac or name> on June 21

Troubleshoot a Wired Client

To view wired clients that are experiencing issues, use phrases such as the following:

• tshoot wired client <mac>

• troubleshoot client name

Here's an example that shows the details Marvis provides for the phrase "tshoot wired client
<mac>".

Troubleshoot a Device

You can use the Marvis app to check for issues on APs, switches, or WAN edge devices.

To check whether a device is experiencing any issues, enter a phrase such as "tshoot switch name" or
"tshoot device name" in the Teams window.
Here's an example that shows the details Marvis provides for the phrase "tshoot switch name." In
this case, Marvis reports that two clients connected to the switch experienced an authentication
failure.
 214

You can click the issue to view details. You can click the Switch Insights or Failure Timeline option
for more details. In some cases, Marvis also provides recommendations to fix the issue, as the
following screenshot shows:
 215

Troubleshoot Unhappy Devices or Clients

To check for devices experiencing issues (unhappy devices), simply enter the phrase "unhappy <device
type>" in the Marvis chat window. For example, if you want to view unhappy WAN edge devices, enter
"unhappy WAN edges" and Marvis will show all the WAN edges that are experiencing issues.

Here are a few examples. You can click any device to view the issues.

Unhappy WAN edges:

Unhappy APs:
 216

Unhappy Switches:
 217

Unhappy Wireless Clients:

Troubleshoot a Site

You can use the Marvis app to troubleshoot sites to identify site-level failures.

To check whether a device is experiencing any issues, enter a phrase such as "troubleshoot site name" in
the Teams window.
Here's an example that shows the details Marvis provides for the phrase "troubleshoot site name."
Marvis shows the troubleshooting results for the site. Marvis classifies these failures under the
following categories:

• Wireless

• Wired

• WAN
 218

You can click the expand arrow to view more details. You can drill down further to view site-level
insights and device-level insights.
 219

Search and List Functions in the Marvis App

SUMMARY IN THIS SECTION

Use the Marvis App to search for devices, sites, and Search for Devices and Sites | 220
documentation.
 220

Search for Documentation | 221

List Function | 222

Search for Devices and Sites

You can use the Marvis app to search for devices such as wireless or wired clients, access points (APs),
switches, and WAN edge devices based on the device’s name or MAC address. You can also search for
sites by site name. To search for a device or site, simply enter the device or site name in the Marvis chat
window.

The search results provide links to the Insights page for the device or site. Note that you can even search
using partial names.

Here's an example:

Here are some examples of phrases that you can use to search for a device or site:

• <client name>

• Search <ap mac> <switch model>

 221

• Find <WAN edge mac>

• <wired client mac>

• <site partial name>

• Locate <client username>

Search for Documentation

You can search for documentation without having to go to the Juniper Networks documentation portal.
To search for documentation, enter a phrase such as "doc search <text>" in the Marvis chat window. It is
not necessary to enter the exact name of the topic. You can enter a word or phrase, and Marvis displays
all topics containing the text you entered. The following screenshot shows the results of a
documentation search using the phrase "doc search <text>".

In the following screenshot, notice that Marvis displays documentation links even though the phrase
does not contain the key words such as "doc" or "search.".
 222

List Function

You can also use the list function to view information such as unhappy clients, access points (APs)
running an incorrect firmware version, and switches in a site.

To determine which clients are experiencing connectivity issues (which we also refer to as unhappy
clients), use phrases such as, "list unhappy wireless clients" or "list unhappy clients" without providing
details.

Marvis displays a list of clients that are experiencing issues. You can select any client from the list to
view the details.

Here is an example that shows the details that Marvis displays for "unhappy clients."
 223

View or Change the Organization in the Marvis App

SUMMARY

Select the organization that you want to view in the Marvis app.

You can run queries against multiple organizations and also switch between organizations using the
Marvis app,

The Marvis app enables you to:

• Switch between organizations.

• View the current active organization (that is, the organization that you're connected to).
 224

• Connect to a new organization or reconnect to the active organization.

Simply type help in the Marvis chat window, and you'll see details about the configure, my_configs, and
active options:

• If you enter configure, Marvis displays the login screen. You can either reconnect to the current
active organization or connect to a different organization.
 225

• If you enter my_configs, Marvis displays the following:

• Organizations that you're connected to

• The current active organization

Selecting another organization makes it the active organization. You can query Marvis for
information about the devices and sites in that organization.
 226

• If you enter active, Marvis displays the organization that is currently active.
11 CHAPTER

Troubleshooting Examples

Troubleshooting Wireless Connectivity Issues | 228

Troubleshoot Specific Connectivity Issues by Using the Marvis Conversational

Assistant | 233

Troubleshoot a Device or Site by Using APIs | 251

 228

Troubleshooting Wireless Connectivity Issues

IN THIS SECTION

Troubleshooting with the Successful Connects SLE | 228

Explore Further on the Insights Dashboard | 230

Get Quick Recommendations About Ongoing Issues | 231

Troubleshoot with Marvis | 232

To recap the information from the various chapters of this guide, this use case shows how you can use
wireless SLEs, the Insights page, Marvis Actions, and the Marvis Conversational Assistant to investigate
and troubleshoot connectivity issues.

Typically, you wouldn't use all these tools, but this use case illustrates the valuable insights that you can
gain from these tools. Use whichever options suit your situation and your preferences for working in the
Juniper Mist™ portal.

Troubleshooting with the Successful Connects SLE

Let's start on the Wireless SLEs dashboard. SLEs offer insights into current and past issues.

NOTE: To find the Wireless SLEs dashboard, select Monitor > Service Levels from the left menu
of the Juniper Mist™ portal, and then select the Wireless button.

In this example, you see that only 22 percent of connects were successful. On the right side of the SLE
block, you see that 98 percent of the issues involved DHCP errors.
 229

NOTE: Although this example focuses on DHCP errors, you can see that this SLE provides
insights into various factors that can affect connectivity, including authorization, ARP, and DNS
issues. For more information about this SLE and its classifiers, see "Wireless Successful Connects
SLE" on page 54.

As shown in the following animation, you can click the DHCP classifier to view the Root Cause Analysis.
There, you can explore the sub-classifiers, statistics, and timeline. You can see which devices were
affected, when they were affected, and where they're located.
 230

As you explore the Root Cause Analysis page, you can discover:

• If the failures are being observed across access points (APs) or specific APs.

• If the failures are being observed for specific device types or across all device types.

• If the failures are being observed across all Wireless Lans (WLANs) or a specific WLAN.

Explore Further on the Insights Dashboard

As you identify the impacted devices, you can get more details on the Insights dashboard. This
dashboard offers information about current and past issues.

NOTE: To find the Insights dashboard, select Monitor from the left menu of the Juniper Mist
portal. Then click the Insights button at the top of the Monitor page.

For connectivity issues, it's helpful to look at AP Events and Client Events.

For this example, let's look at Client Events. If you click the Bad tab at the top, you can focus on the
user-impacting issues. In this example, you see the details that are available for a DCHP timeout. For
more information about an incident, you can click the link on the client name or the AP name.
 231

Get Quick Recommendations About Ongoing Issues

The Marvis Actions dashboard offers quick recommendations about current and past issues.

In this example, the Actions dashboard shows several connectivity issues. In this example, DCHP Failure
has the highest number of issues. When you click DHCP, you see a recommended action. You also see
the scope of the issue: which sites were affected, what happened, and when the issues occurred.
 232

Troubleshoot with Marvis

If you have a Marvis subscription, you get help by clicking the Marvis icon and entering questions.

NOTE: Look for the Marvis icon at the top-left or bottom-right corner of the Juniper Mist portal.

As shown in the animation below, you can enter troubleshoot followed by the MAC address or
hostname of a device. Then interact with Marvis to get the information that you need.
 233

Troubleshoot Specific Connectivity Issues by Using

the Marvis Conversational Assistant

SUMMARY IN THIS SECTION

Understand how you can use the Marvis Troubleshoot Authorization Failures | 234
conversational assistant to troubleshoot specific Troubleshoot DHCP Issues | 242
connectivity issues.
Troubleshoot PSK Failures | 245

Troubleshoot RADIUS Authentication

Failures | 248

We cover a few troubleshooting examples so that you get an idea about how you can use the Marvis
conversational assistant to troubleshoot connectivity issues.
 234

Troubleshoot Authorization Failures

Authorization failures can be due to various reasons such as a RADIUS server not responding and clients
failing to complete the authorization process. This example shows how you can use the Marvis
conversational assistant to troubleshoot authorization failures both for a site and a client.

To troubleshoot authorization failures at a site:

1. In the Marvis conversational assistant window, enter troubleshoot followed by the site name. You
can also specify a duration.

In this example, you’ll see that Marvis identifies authorization issues in the wireless network.

2. Click the Wireless category to get some more details about the issue. In this example, you’ll see that
Marvis reports that the clients at the site faced authorization failures 36% of the time.
 235

You can investigate further by using the options displayed.

Scope of Impact

Scope of Impact provides a graphical representation of all the clients that experienced issues. You can
also choose to view the information based on a wireless LAN (WLAN), access point (AP), or radio band
by using the drop-down list on the right.
 236

Wireless SLE

The Wireless SLEs dashboard provides site-level insights and SLE classifiers. In this example, you’ll see
that the Successful Connect service-level expectation (SLE) shows that 64 percent of the connects were
successful.
 237

Click the Authorization classifier on the right to view the Root Cause Analysis page. This page provides
detailed information. You can look through each of the tabs on the page. For example, you can use the
Distribution tab to determine if the issue is being observed across:

• All APs or specific APs

• All users or specific users

• All WLANs or specific WLANs

• All device types or specific device types

 238

The Affected Items tab displays the impacted users, APs, and applications. You can drill down further by
clicking a user. The Failure Rate column indicates whether the user always fails to connect. Users
experiencing a 100-percent failure rate over a long period of time are listed under the Persistently
Failing Clients category in Marvis Actions as shown in the following example:
 239

To troubleshoot authorization failures for a client:

1. In the Marvis conversational assistant window, enter tshoot client followed by the MAC address or
hostname of the client. In the following example, you’ll see that Marvis detects an authorization error
for the client.
 240

2. Click Authorization Error to view more details. In this example, you’ll see that Marvis reports that the
client faced authorization failures 100 percent of the time.

Note that Marvis also reports this issue on the Marvis Actions page, under the Connectivity category.
 241

As we are looking into a client-specific issue, you can click Client Insights. The Client Events section lists
all the events associated with the clients. You can click the authorization failure event to see the reason
for the failure.

You can also download the packet capture for the authorization failure. Here is a sample packet capture.
You can see that the client does not respond to identity requests and repeatedly tries to connect
without providing a client identity response.
 242

Troubleshoot DHCP Issues

Clients might face connectivity issues when they fail to obtain an IP address due to a lack of response
from the Dynamic Host Configuration Protocol (DHCP) server.
To troubleshoot DHCP issues:

1. In the Marvis conversational assistant window, enter tshoot client followed by the MAC address or
hostname of the client. In the following example, you’ll see that Marvis detects DHCP issues in the
network.

2. Click DHCP Error to view the details. In the following example, you’ll see that Marvis reports that a
specific client is facing DHCP failures 100 percent of the time.
 243

You can investigate further by using the options displayed.

Scope of Impact

You can start by looking at the Scope of Impact that lists the successful and failed connection attempts.
You can use the drop-down list on the right to check whether the client is failing on one WLAN/AP or
multiple WLANs/APs.
 244

Client Insights

You can also click Client Insights to view all the client-related events. You can click the DHCP Timed Out
event to view the details of the DHCP server where the DHCP requests are failing.
 245

You can download the dynamic packet capture for a specific event. Here's a sample packet capture for a
client that experienced a DHCP Timed Out event.

Troubleshoot PSK Failures

Marvis detects preshared key (PSK) failures when a large number of clients fail to authenticate to a PSK
WLAN. A probable cause for this issue could be a recent PSK change that was not communicated to
users.
To troubleshoot PSK failures:

1. In the Marvis conversational assistant window, enter tshoot followed by the MAC address or
hostname of the client. In the following example, you’ll see that Marvis reports an authorization issue
due to an incorrect wireless password.
 246

2. Click Authorization Errors to view the details.

Investigate further by using the options displayed.

Scope of Impact

You can start by looking at the Scope of Impact that lists the successful and failed connection attempts.
You can check whether the client is failing on one or multiple WLANs.
 247

Client Insights

You can click Client Insights to view all the events associated with the client. You can click the
authorization failure event to see the reason for the failure as shown in the following example.
 248

Troubleshoot RADIUS Authentication Failures

Clients might experience an 802.1x authentication failure when a RADIUS server is down or
unreachable.
To troubleshoot RADIUS authentication failures:

1. In the Marvis conversational assistant window, enter tshoot followed by the name of the client. In
the following example, you’ll see that Marvis detects 802.1x authentication failures in the network.

2. Click Authentication Error to view the details.

 249

You can investigate further by using the options displayed.

Scope of Impact

You can start by looking at the Scope of Impact that lists the successful and failed connection attempts.
You can check whether the client is failing on one or multiple WLANs.

Client Insights
 250

You can click Client Insights to view all the events associated with the client. You can click the
authorization failure event to see the reason for the failure as shown in the following example.

You can download the dynamic packet capture for a specific event. Here's a sample packet capture:
 251

Troubleshoot a Device or Site by Using APIs

You can use the troubleshoot API to troubleshoot devices and sites from an external portal. Devices that
you can troubleshoot include clients (wired and wireless), access points (APs), switches, and WAN Edges.
You can also use the APIs to troubleshoot sites for wired, wireless, and WAN issues.

To use the Marvis APIs, you must have:

• A valid observer API token.

• Marvis subscription at the organization level.

• MAC address of the device (if you want to troubleshoot a device)

• Site ID or site name (if you want to troubleshoot a site)

Here are the details of the API queries:

• To troubleshoot a device:

GET /api/v1/orgs/:org_id/troubleshoot?mac=:device_mac
 252

If you know the hostname or username of the device, use the search API (/clients/search or /devices/
search) to get the MAC address.

You can also include the site_id option if you want the troubleshoot response to be fetched for a
device in a specific site. Include the start and end options if you want the troubleshoot response for a
specific duration.

• To troubleshoot a site:

GET /api/v1/orgs/:org_id/troubleshoot?site_id=:siteid

You can also include the type option if you want the troubleshoot response to be fetched for a
specific network issue—wired, WAN, or wireless. Note that the default type is wireless. If you have
only a WAN or wired deployment, then ensure that you specify the type. Include the start and end
options if you want the troubleshoot response for a specific duration.

The API query fetches a text-based response containing the problem category, reason, description, and
recommendation (if applicable). Here are some sample results:

• Troubleshoot a device (wireless client)

https://api.mist.com/api/v1/orgs/9777c1a0-6ef6-11e6-8bbf-02e208b2d34f/troubleshoot?
mac=50:xx:xx:xx:xx:c2

• Troubleshoot a device (wired client)

https://api.mist.com/api/v1/orgs/9777c1a0-6ef6-11e6-8bbf-02e208b2d34f/troubleshoot?
mac=3c:xx:xx:xx:xx:46
 253

• Troubleshoot a site (wireless)

https://api.mist.com/api/v1/orgs/9777c1a0-6ef6-11e6-8bbf-02e208b2d34f/troubleshoot?
site_id=978c48e6-6ef6-11e6-8bbf-02e208b2d34f

• Troubleshoot a site (wired)

https://api.mist.com/api/v1/orgs/9777c1a0-6ef6-11e6-8bbf-02e208b2d34f/troubleshoot?
site_id=978c48e6-6ef6-11e6-8bbf-02e208b2d34f&type=wired
 254

• Troubleshoot a site (WAN)

https://api.mist.com/api/v1/orgs/9777c1a0-6ef6-11e6-8bbf-02e208b2d34f/troubleshoot?
site_id=978c48e6-6ef6-11e6-8bbf-02e208b2d34f&type=wan

You can view the API documentation at https://api.mist.com/api/v1/docs/Org#troubleshoot.