- play_arrow Get Started with AI Ops
- play_arrow Insights
- play_arrow Application Experience and SLE Classifiers
- play_arrow Alerts
- play_arrow Get Started with Marvis
- play_arrow Marvis Actions
- Marvis Actions Overview
- Subscription Requirements for Marvis Actions
- Layer 1 Actions
- Connectivity Actions
- AP Actions
- Switch Actions
- WAN Edge Actions
- Data Center/Application Actions
- Other Marvis Actions
- Marvis Actions: An Insight into Backend Operations
- Anomaly Detection Event Card
- AP Deployment Assessment
- play_arrow Marvis Minis
- play_arrow Conversations and Queries
- play_arrow Marvis Client
- play_arrow Marvis App for Teams
- play_arrow Troubleshooting Examples
Wired Successful Connect SLE
Use the Wired Successful Connect SLE to assess clients' experiences connecting to your wired network.
Successful Connect is one of the Service-Level Expectations (SLEs) that you can track on the Wired SLEs dashboard. Use this SLE to see if clients are able to get connected to your network, and to understand the root causes of any issues that are occuring.
To find the Wired SLEs dashboard, select Monitor > Service Levels from the left menu, and then click the Wired button.
What Does the Wired Successful Connect SLE Measure?
Juniper Mist monitors client connection attempts and identifies failures. The source of data is 802.1X events on the switch. This SLE helps you to assess the impact of these failures and to identify the root causes to address.
This SLE will show data only if you use 802.1X on the wired network to authenticate clients or if you have DHCP snooping configured.
Classifiers and Sub-Classifiers
When connection attempts are unsuccessful, Juniper Mist sorts the issues into classifiers. The classifiers appear on the right side of the SLE block.
By looking at classifiers, you see which factors are causing the most client issues. Most classifiers also have sub-classifiers, providing even more insight into the issues. (The sub-classifiers appear on the Root Cause Analysis page, which you can open by clicking a classifier.)
Let's get familiar with the Successful Connect classifiers and sub-classifiers:
DHCP—Dynamic Host Configuration Protocol (DHCP) snooping enables the switch to examine the DHCP packets and keep track of the IP-MAC address binding in the snooping table. This classifier adds a failure event every time a client connects to a network and fails to reach the bound state within a minute (DCHP timeouts).
Note:The SLE dashboard shows DHCP failures only for those switches that have DHCP snooping enabled in the port profile (within the switch template).
DHCP snooping might not always work well with endpoints that have static IPs.
Authentication—Each time a client authenticates, a client event is generated. This classifier helps you identify issues that caused authentication failures.
Sub-Classifiers:
RADIUS Server Reject VLAN—Couldn't authenticate to the specified VLAN.
Wrong Credentials—The credentials weren't valid.
RADIUS Server Unreachable—The RADIUS server was down.
Access Port Security—This classifier helps you identify client connection failures caused by access port security issues. You can configure these security features in your port profiles, and then these classifiers will be triggered as security events occur.
Sub-Classifiers:
- BPDU-Guard—Detects connection failures because of the BPDU guard configuration on the switch port. This feature is important to prevent looping, as when a switch is connected to a switch. To enable this feature, go to the port profile, and enable STP Edge.
- MAC Limit—Detects connection failures reported when a client exceeds the MAC limit configured on the switch port. For example, you might configure your port profile with a MAC limit of 2 if you have an outdoor security camera or public address system and want to prevent other devices from connecting to that port. If someone unplugs your camera and attempts to connect their own device, the MAC limit would be reached, and this event would be reflected by the MAC limit classifier.
- Dynamic ARP Inspection—Identifies client connection failures when a port drops invalid Dynamic ARP Inspection packets. This security feature prevents people from snooping for someone else's ARP address to gain access. Requires enabling ARP Inspection in the DHCP Snooping section of the port profile.
- Rogue DHCP Server—Identifies client connection failures caused by a rogue DHCP
server event. This could be an event where an untrusted port drops traffic from DHCP
servers to block unauthorized servers. Enabling this feature can prevent rogue devices
from connecting. This classifier shows any such attempts that occur. Requires enabling
DHCP snooping in the port profile. Note:
As a best practice, be sure to configure the Trusted or Untrusted setting in the port profile—typically, you want trunk ports to be trusted and access ports to be untrusted to prevent unauthorized use of ports. This is especially important in public settings where you have a camera connected to a port; this setting can prevent someone from disconnecting the camera and connecting a rogue device.
Root Cause Analysis for the Wired Successful Connect SLE
After you click a classifier in the SLE block, you'll see to the Root Cause Analysis page. Click classifiers and sub-classifiers to view timeline and scope information in the lower half of the screen.
The information in the lower half of the screen depends on what you've selected at the top.
Useful tabs in the lower half of the screen are:
Timeline—See exactly when the issues occurred.
Distribution—See which VLANs were affected.
Affected Items—See which interfaces and clients were affected and how much each one contributed to the overall impact. Also see the individual failure rate for each interface or client.
Let's look at an example involving Authentication (classifier) and Wrong Credentials (sub-classifier).
Click the Interfaces tab to see which interfaces were affected.
Click the Clients tab to see which clients were affected.
Overall Impact is the percentage that a client or interface contributed to all issues for the selected sub-classifier. For example, it can show if a client account for 20 percent or 90 percent of the issues.
Failure Rate is the impact of this issue on this interface or client. For example, it can show if an interface was unsuccessful on 20 percent or 90 percent of connection attempts.
To see more details, click the hyperlinks in the table to go to the Insights page, where you can see all client and switch events.
