Incidents

The Incidents page provides overall information about the incidents that have occurred on the network.

On the navigation bar, select AI Assurance > AI Analytics > Incidents. The Incidents page is displayed. The Incidents page provides a breakdown of incidents by severity and category, allowing you to focus on incidents of interest, for which you can view details. For any given incident, you can view the severity, client impact, root cause, and recommendations, as well as the events, anomalies, data, or problems that were used to identify the incident.
Incidents Page
The Incidents page has the following components:
  • Total Incidents bar chart
  • Client trends time-series chart
  • Incidents Table

The Network Hierarchy filter and Date and Time filter are displayed in the upper-right corner of the Content panel. These options control the elements displayed within the Content Panel. To modify these options, refer to Content Panel.

Total Incidents Bar Chart

Total Incidents displays the total number of incidents in "big number" format, as well as the number of incidents per severity in "bar graph" format, that occurred for the selected network node and date/time filters. The capsule next to the Total Incidents count indicates the change in incident volume compared to the previous period, based on the currently selected time range. A green capsule displays the number of incidents decreased from the previous period. A red capsule displays the number of incidents increased from the previous period. A grey capsule with a 0 indicates no change in the incident count. The previous period is determined relative to the selected range. For example, if the current period is 'Last 7 Days', the comparison is made against the 7 days preceding that range.

Note: Muted incidents are not counted in the metrics displayed in the chart.
Severity Tile
Each severity level is identified by priority, ranging from P1 to P4 (P1 being the highest priority and P4 the lowest). The severity of an incident is determined by the type of the incident, duration of the incident, number of impacted clients, number of impacted APs, scope of the incident (example: a zone-level incident is more severe than an AP-level incident), and other factors. Each severity level is identified by priority and color as listed in the following table:
Table 1. Severity Levels of an Incident
Priority Severity Color
P1 Critical Red
P2 High Dark Orange
P3 Medium Orange
P4 Low Yellow

Client Trends Time-Series Chart

The interactive time-series chart provides a graphical representation of client trends, showing the new clients connecting to the network, the number of clients actively connected to the network, and the number of clients affected by the network incidents that occurred for the selected network node and date/time filters. Each client incident is identified by the following color lines:
  • Blue line: This line represents the new client associations. The client count value includes all unique clients that attempted to connect to the network, including both failed and successful connections.
  • Orange line: This line represents the connected clients. The client count value indicates only successfully connected clients to the network.
  • Green line: This line represents the impacted clients. The client count value includes the number of clients impacted by the incidents, and it also includes clients who were unable to connect.
Incident Timeline Tile

Pausing your cursor at any instance on the timeline displays a tooltip showing the number of new clients, impacted clients, and connected clients based on the selected network node and date/time filters. By default, the graph displays data for all three client categories. You can toggle the visibility of each category - New Client Associations, Connected Clients, or Impacted Clients - using the options at the top of the graph. When a category is hidden, its corresponding icon appears grayed out.

Incidents Table

The Incidents Table displays a summary of each incident that occurred for the selected network node and date/time filters. If there are more than 10 incidents, then you can select the number of incidents displayed per page from the drop-down menu at the bottom of the page.
Incidents Table

Each incident is made up of a number of attributes. Above the table are search fields that allow you to refine the incident list based on your selected search criteria. Incidents that impact multiple nodes of a network hierarchy are grouped together, this group is indicated with a + icon displayed beside the incident severity. Click the + icon to expand the group and view more information about other incidents that contribute to the selected incident and information about the parent incident to which the selected incident contributes.

The table has the following attributes:
  • Severity: Displays the severity of an incident, ranging from P1 to P4 (P1 being the highest priority and P4 the lowest). The severity of an incident is determined by the type of the incident, duration of the incident, number of impacted clients, number of impacted APs, scope of the incident (example: a zone-level incident is more severe than an AP-level incident), and other factors. Clicking this attribute displays the Incident Details page for the associated incident. You can filter incidents by severity using the Severity drop-down above the table.
  • Date: Displays the date and time when the incident started. Clicking this attribute displays the Incident Details page for the associated incident.
  • Duration: Displays the duration of the incident.
  • Description: Displays a short description of the incident. To view the root cause, click Description attribute. The Incident Description dialog box is displayed. This dialog box displays the incident description and root cause. To view the incident details, click More Details in the Incident Description dialog box. The Incident Details page is displayed. For more information, refer to Incident Details.
  • Category: Indicates the functional classification of the incident based on its nature or impact area, such as Connection, Performance, Infrastructure, or Security. You can filter incidents by category using the Category drop-down above the table.
  • Sub-Category: Displays the sub-category of the respective categories (connection, performance, infrastructure, or security). You can filter incidents by sub-category using the Sub-Category drop-down above the table.
    Table 2. Incident Details Based on Categories and Sub-Categories
    Category Sub-Category Incident Description Scope
    Connection 802.11 Authentication 802.11 Authentication failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection DHCP DHCP failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection RADIUS RADIUS failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection Association Association failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection EAP EAP failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection Time To Connect Time to connect is greater than SLA threshold defined in <Zone> Zone
    Infrastructure Network The controller cluster is sending data with an incorrect future timestamp SZ Cluster
    Infrastructure Network The controller cluster is sending data with an incorrect past timestamp SZ Cluster
    Infrastructure Service Availability High AP-SmartZone connection failures in <Scope> AP Group/Zone
    Infrastructure Service Availability AP service is affected due to a high number of AP reboots AP Group/Zone
    Infrastructure Service Availability AP service is affected due to a high number of AP reboots AP
    Infrastructure VLAN Mismatch VLAN mismatch found in <Scope> Switch Group
    Infrastructure PoE PoE power denied in <Scope> Switch Group
    Infrastructure PoE AP(s) operating in Low Power Mode: <Scope> AP/AP Group/Zone
    Infrastructure Ethernet Physical link speed/duplex mismatch between AP and upstream device: <Scope> Zone
    Infrastructure Network The network latency between the SZ nodes is unusually high SZ Cluster
    Infrastructure Loop Detection Layer 2 loop detected in <Scope> Cluster/Domain/Switch Group

    (One incident per Switch Group)
    Infrastructure LLDP Status LLDP status of <Scope> Switch Group
    Infrastructure Port Flap Port flap detected in <Scope> Switch
    Performance Coverage Clients with low RSS are unusually high in <Scope> AP Group/Zone
    Performance Channel Conditions
    • Sub-optimal channel conditions detected for 2.4 GHz in <Scope>
    • Sub-optimal channel conditions detected for 5 GHz (outdoor) in <Scope>
    • Sub-optimal channel conditions detected for 5 GHz (indoor) in <Scope>
    		AP Group
    Performance Load SZ controller is experiencing unusually high CPU usage. SZ Controller
    Performance Memory High memory utilization detected in <Scope> Switch
    Performance Airtime
    • Airtime Rx is unusually high in 2.4 GHz in <Scope>
    • Airtime Rx is unusually high in 5 GHz in <Scope>
    • Airtime Rx is unusually high in 6 GHz in <Scope>
    		 Zone
    Performance Airtime
    • Airtime Tx is unusually high in 2.4 GHz in <Scope>
    • Airtime Tx is unusually high in 5 GHz in <Scope>
    • Airtime Tx is unusually high in 6 GHz in <Scope>
    		 Zone
    Performance Airtime
    • Airtime Busy is unusually high in 2.4 GHz in <Scope>
    • Airtime Busy is unusually high in 5 GHz in <Scope>
    • Airtime Busy is unusually high in 6 GHz in <Scope>
    		 Zone
    Security TCP-SYN DDoS TCP SYN DDoS attack found in <Scope> Cluster/Domain/Zone/Switch Group
    Performance Congestion Port congestion detected in <Scope> Switch
    Performance Uplink Congestion Uplink Port congestion detected in <Scope> Switch Group
  • Client Impact: Displays the percentage of clients impacted by the incident.
  • Impacted Clients: Displays the number of clients impacted by the incident.
  • Scope: Displays the area of the network in which the incident was detected. Pausing your cursor over the scope displays the entire path of the network node.
  • Type: Displays the entity level at which the incident occurred. You can filter incidents by type using the Type drop-down above the table.
  • Visibility: Indicates whether an incident is muted or unmuted. This column helps you quickly distinguish between the two using visual icons; the icon represents an unmuted incident, while the icon represents a muted incident. By default, only unmuted incidents are displayed in the table. Muted incidents are hidden unless explicitly filtered using the Visibility filter and do not trigger email or webhook notifications. You can use the Visibility filter above the table to view all, muted, or unmuted incidents.

Click the icon at the top right of the table to export and download the complete incident list in the csv format.

Click the Date attribute or Severity attribute to display the Incident Details page for the associated incident. This page displays a detailed report of the specific incident, including the information provided in the Incidents table, as well as root cause analysis and recommended actions, network impact, and associated metrics. For more information, refer to Incident Details.

Muting or Unmuting an Incident

Based on business priorities or operational considerations, you may choose to ignore certain incidents. In such cases, the incidents can be muted to prevent them from cluttering the Incidents table and triggering unnecessary notifications. You can manage incident visibility in the Incidents table using the Mute and Unmute options. By default, all incidents are unmuted and automatically displayed in the table. Muting an incident hides it from the Incidents table and suppresses both email notifications and webhook triggers. Muted incidents are also excluded from incident counts and related graph. To review muted incidents, use the Visibility filter, which provides options to show all, muted, or unmuted incidents. You can mute or unmute multiple incidents in bulk.

Muting an incident applies only within the current scope (such as Domain, Zone, AP Group, and so on) and does not affect its visibility in other scopes where the incident may also appear.

Complete the following steps to mute or unmute an incident:
  1. In the Incidents Table, select the radio button next to the incident you want to mute or unmute.

    You can select multiple incidents using the checkboxes to perform bulk mute or unmute actions.

    Note: Selecting a group incident does not automatically select its associated child incidents. To mute or unmute all incidents within a group, each child incident must be selected individually.

    The action bar appears at the top of the table with Mute and Unmute options. Based on the current status of the selected incident(s), either Mute or Unmute will be disabled (grayed out).

  2. Click Mute or Unmute as appropriate to update the visibility of the incident.

    The Visibility column in the Incidents table will reflect the change with the corresponding icon.