Incidents

The Incidents page provides overall information about the incidents that have occurred on the network.

On the Navigation bar, click AI Assurance > AI Analytics > Incidents. The Incidents page is displayed. The Incidents page provides a breakdown of incidents by severity and category, allowing you to focus on incidents of interest, for which you can view details. For any given incident, you can view the severity, client impact, root cause, and recommendations, as well as the events, anomalies, data, or problems that were used to identify the incident.
Incidents Page
The Incidents page has the following components:
  • Total Incidents bar chart
  • Client trends time-series chart
  • Incidents Table

The Network Hierarchy filter and Date and Time filter are displayed in the upper-right corner of the Content panel. These options control the elements displayed within the Content Panel. To modify these options, refer to Content Panel.

Total Incidents Bar Chart

Total Incidents displays the total number of incidents in "big number" format, as well as the number of incidents per severity in "bar graph" format, that occurred for the selected network node and date/time filters.
Severity Tile
Each severity level is identified by priority, ranging from P1 to P4 (P1 being the highest priority and P4 the lowest). The severity of an incident is determined by the type of the incident, duration of the incident, number of impacted clients, number of impacted APs, scope of the incident (example: a zone-level incident is more severe than an AP-level incident), and other factors. Each severity level is identified by priority and color as listed in the following table:
Table 1. Severity Levels of an Incident
Priority Severity Color
P1 Critical Red
P2 High Dark Orange
P3 Medium Orange
P4 Low Yellow

Client Trends Time-Series Chart

The interactive time-series chart provides a graphical representation of client trends, showing the new clients connecting to the network, the number of clients actively connected to the network, and the number of clients affected by the network incidents that occurred for the selected network node and date/time filters. Each client incident is identified by the following color lines:
  • Blue line: This line represents the new client associations. The client count value includes all unique clients that attempted to connect to the network, including both failed and successful connections.
  • Orange line: This line represents the connected clients. The client count value indicates only successfully connected clients to the network.
  • Green line: This line represents the impacted clients. The client count value includes the number of clients impacted by the incidents, and it also includes clients who were unable to connect.
Incident Timeline Tile

Pausing your cursor at any instance on the timeline displays an information box that shows the number of new clients, impacted clients, and connected clients at that time and date. By default, the information about new clients, connected clients, and impacted clients is displayed in the graph. You can hide any of this information displayed in the graph by selecting the New Client Associations, Connected Clients, or Impacted Clients options at the top of the graph. The information icon that is hidden is displayed in gray.

Incidents Table

The Incidents Table displays a summary of each incident that occurred for the selected network node and date/time filters. If there are more than 10 incidents, then you can select the number of incidents displayed per page from the drop-down menu at the bottom of the page.
Incidents Table

Each incident is made up of a number of attributes. Above the table are search fields that allow you to refine the incident list based on your selected search criteria. Incidents that impact multiple nodes of a network hierarchy are grouped together, this group is indicated with a + icon displayed beside the incident severity. Click the + icon to expand the group and view more information about other incidents that contribute to the selected incident and information about the parent incident to which the selected incident contributes.

The table has the following attributes:
  • Severity: Displays the severity of an incident, ranging from P1 to P4 (P1 being the highest priority and P4 the lowest). The severity of an incident is determined by the type of the incident, duration of the incident, number of impacted clients, number of impacted APs, scope of the incident (example: a zone-level incident is more severe than an AP-level incident), and other factors. Clicking this attribute displays the Incident Details page for the associated incident.
  • Date: Displays the date and time when the incident started. Clicking this attribute displays the Incident Details page for the associated incident.
  • Duration: Displays the duration of the incident.
  • Description: Displays a short description of the incident. To view the root cause, click Description attribute. The Incident Description dialog box is displayed. This dialog box displays the incident description and root cause. To view the incident details, click More Details in the Incident Description dialog box. The Incident Details page is displayed. For more information, refer to Incident Details.
  • Category: Displays the type of incident such as connection, performance, infrastructure, or security.
  • Sub-Category: Displays the sub-category of the respective categories (connection, performance, infrastructure, or security).
    Table 2. Incident Details Based on Categories and Sub-Categories
    Category Sub-Category Incident Description Scope
    Connection 802.11 Authentication 802.11 Authentication failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection DHCP DHCP failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection RADIUS RADIUS failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection Association Association failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection EAP EAP failures are unusually high in <Scope> AP/AP Group/Zone/Domain/SZ
    Connection Time To Connect Time to connect is greater than SLA threshold defined in <Zone> Zone
    Infrastructure Network The controller cluster is sending data with an incorrect future timestamp. SZ Cluster
    Infrastructure Network The controller cluster is sending data with an incorrect past timestamp. SZ Cluster
    Infrastructure Service Availability High AP-SmartZone connection failures in <Scope>. AP Group/Zone
    Infrastructure Service Availability AP service is affected due to high number of AP reboots. AP Group/Zone
    Infrastructure Service Availability AP service is affected due to high number of AP reboots AP
    Infrastructure VLAN Mismatch VLAN mismatch found in <Scope> Switch Group
    Infrastructure PoE PoE power denied in <Scope> Switch Group
    Infrastructure PoE AP(s) operating in Low Power Mode: <Scope> AP/AP Group/Zone
    Infrastructure Ethernet Physical link speed/duplex mismatch between AP and upstream device: <Scope> Zone
    Infrastructure Network The network latency between the SZ nodes is unusually high SZ Cluster
    Performance Coverage Clients with low RSS are unusually high in <Scope> AP Group/Zone
    Performance Channel Conditions
    • Sub-optimal channel conditions detected for 2.4 GHz in <Scope>
    • Sub-optimal channel conditions detected for 5 GHz (outdoor) in <Scope>
    • Sub-optimal channel conditions detected for 5 GHz (indoor) in <Scope>
    		AP Group
    Performance Load SZ controller is experiencing unusually high CPU usage. SZ Controller
    Performance Memory High memory utilization detected in <Scope> Switch
    Performance Airtime
    • Airtime Rx is unusually high in 2.4 GHz in <Scope>
    • Airtime Rx is unusually high in 5 GHz in <Scope>
    • Airtime Rx is unusually high in 6 GHz in <Scope>
    		 Zone
    Performance Airtime
    • Airtime Tx is unusually high in 2.4 GHz in <Scope>
    • Airtime Tx is unusually high in 5 GHz in <Scope>
    • Airtime Tx is unusually high in 6 GHz in <Scope>
    		 Zone
    Performance Airtime
    • Airtime Busy is unusually high in 2.4 GHz in <Scope>
    • Airtime Busy is unusually high in 5 GHz in <Scope>
    • Airtime Busy is unusually high in 6 GHz in <Scope>
    		 Zone
    Security TCP-SYN DDoS TCP SYN DDoS attack found in <Scope> Cluster/Domain/Zone/Switch Group
  • Client Impact: Displays the percentage of clients impacted by the incident.
  • Impacted Clients: Displays the number of clients impacted by the incident.
  • Scope: Displays the area of the network in which the incident was detected. Pausing your cursor over the scope displays the entire path of the network node.
  • Type: Displays the type of incident that occurred. You can view this by selecting the options from the drop-down menu. Options include SZ Cluster, Domain, Zone, AP Group and Access Point.

Click the icon at the top right of the table to export and download the complete incident list in the csv format.

Click the Date attribute or Severity attribute to display the Incident Details page for the associated incident. This page displays a detailed report of the specific incident, including the information provided in the Incidents table, as well as root cause analysis and recommended actions, network impact, and associated metrics. For more information, refer to Incident Details.

Mute an Incident

Complete the following steps to mute an incident:
  1. In the Incidents Table, click on the radio button to select an incident that you want to mute.
    Note: You can mute only one incident at a time.
  2. Click Mute at the top of the Incidents Table to mute the incident. When an incident is muted, it is hidden in the Incidents Table, and notifications via email and webhook are also muted.

Alternatively, you can mute an incident from its Incident Details page (accessible by clicking the Severity or Date attribute of the incident in the table). Refer to Mute and Unmute an Incident.

View the Muted Incident in the Incidents Table

In the Incidents Table, click the icon and select the Show Muted Incidents check box. The muted incidents are displayed in the Incidents Table with a gray background.

Unmute the Incident

Complete the following steps to unmute the incident:
  1. In the Incidents Table, click on the radio button to select the muted incident.
    Note: You can unmute only one incident at a time.
  2. Click Unmute displayed at the top of the Incidents Table to unmute the incident. When an incident is unmuted, it is visible in the Incidents Table, and notifications via email and webhook are enabled.

Alternatively, you can unmute an incident from its Incident Details page (accessible by clicking the Severity or Date attribute of the incident in the table). Refer to Mute and Unmute an Incident.