TTechclick All lessons
Cisco Meraki · Operations · TroubleshootingInteractive · L1 / L2

Meraki Troubleshooting — Find the Fault Before the Phone Rings

Packet Capture. Event Log. Meraki Insight. Live Tools. Skip the wall of text — pick a tool below, watch a real "Wi-Fi slow hai" complaint get diagnosed live, ask the in-page AI tutor anything, and you're done.

📅 2026-05-31 · ⏱ 11 min · 3 interactive demos · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Cisco Meraki troubleshooting the AI-era way — pick a tool, watch a real complaint get diagnosed live, run the in-page tool flow, and master Packet Capture, Event Log, Insight & Live Tools in 11 minutes instead of an hour.

By the end of this lesson you'll be able to
Read it as:

Pick a tool — jump straight to it

1

Packet Capture

See the actual bytes on the wire — live in the browser or downloaded to Wireshark.

 2

Event Log

The network's diary. Filter by one client and read their whole connectivity story.

 3

Meraki Insight

"Is it the network or the app?" — Web App Health + WAN Health answer it.

 4

Live Tools

Ping, Cable Test, Throughput, Blink LED — one-click checks, no CLI.

Before the tools — the one mindset that saves you hours

🧒 ELI5: Imagine the network is a hospital. A patient (user) says "I feel sick" (slow Wi-Fi). You don't guess — you take their temperature (Ping), look at their chart (Event Log), take an X-ray (Packet Capture), and check the lab report (Insight). Each tool answers a different question.
🏛 Architect view: The four tools map onto the OSI stack. Cable Test = L1, MAC table + Event Log = L2, Ping/Throughput = L3/L4 reachability, Packet Capture = full-stack truth, and Meraki Insight = L7 application experience. Design your runbook to descend the stack only as far as the symptom demands.

Meraki's whole pitch is cloud-managed visibility: instead of SSHing into a box, you open dashboard.meraki.com and every tool is one click away. But that convenience hides a trap — students fire the wrong tool first and waste an hour.

One sentence to memorise: "Symptom picks the tool, not the other way round." A user says "slow Wi-Fi" → start at the Event Log, not Packet Capture. A switch port is dead → start with Cable Test, not Insight. Drill this in — Troubleshooting is the single largest domain on the ECMS 500-220 exam at 30% weighting.

Meraki troubleshooting toolbox — four tools mapped to the questions they answer A central Meraki Dashboard cloud connecting to four labelled tool panels — Packet Capture, Event Log, Meraki Insight and Live Tools — each annotated with the question it answers and the OSI layer it targets. Meraki Dashboard dashboard.meraki.com · one cloud, every tool ① Packet Capture "What is actually on the wire?" Full stack · .pcap ② Event Log "What happened to this client?" L2/L3 · timeline ③ Meraki Insight "Network or app to blame?" L7 · health score ④ Live Tools "Is it reachable right now?" Ping · Cable · Tput THE RULE Symptom picks the tool — descend the OSI stack only as far as the complaint demands.
Figure 1 — The four Meraki visibility tools, each owning a different question. Start where the symptom points.
📦
Packet Capture
tap to flip

The ground truth. View live in the browser or download a .pcap for Wireshark. Captures kept ~7 days for Intelligent Capture.

📓
Event Log
tap to flip

A searchable timeline of auth, DHCP, roaming and dis-associate events. Filter by MAC, hostname or device.

📊
Insight
tap to flip

Paid add-on. Splits a problem into Network-Layer vs App-Layer performance scores so you stop blaming the wrong thing.

🔧
Live Tools
tap to flip

One-click checks run from the device: Ping, Cable Test, Throughput, MAC table, ARP, Blink LEDs. No CLI, no SSH.

Warm-up · before we start

A user phones the helpdesk: "Internet hi nahi chal raha." Which tool answers fastest whether their device even authenticated and got an IP?

Correct: b. The Event Log shows association, 802.1X/PSK auth and DHCP events for that exact client — one filter and you instantly see if they authed and got a lease. Packet capture is overkill for this; Insight measures app experience, not auth.
Warm-up · before we start

You want to inspect the real DHCP DISCOVER/OFFER exchange byte-by-byte. Where do you go?

Correct: a. Byte-level inspection of a DHCP handshake needs an actual packet capture — Meraki puts it under Network-wide > Monitor > Packet capture, where you pick the device, interface and filter, then view live or download the .pcap.
Warm-up · before we start

The cable test on a switch port reports a fault at "8 metres". What does that most likely mean?

Correct: b. Cable Test uses TDR to estimate where on the copper run a pair is open or shorted — "8 m" tells the onsite tech roughly where to look. It is copper-only (ANSI/TIA-568); fibre needs DOM, not Cable Test.

① Packet Capture — the ground truth

When logs disagree and theories fly, the packet capture settles the argument. Meraki runs it from the Dashboard: Network-wide > Monitor > Packet capture. Pick the device (MX, MS or MR), choose the interface, optionally add a filter expression, then View output below (live in the browser) or Download .pcap for Wireshark.

Scenario · Sneha, NOC analyst at an Infosys campus

Finance laptops on VLAN 30 keep landing on a wrong subnet. Sneha suspects a rogue DHCP server. Instead of guessing, she captures port 67/68 on the MX and watches who answers the DISCOVER.

▶ Watch a rogue-DHCP capture unfold

Click Play. Each stage lights up as Sneha drives the capture from the Dashboard.

① OPEN Network-wide → Monitor → Packet capture
② SCOPE Device = MX-Edge-01 · Interface = LAN (VLAN 30) · Filter = port 67 or port 68
③ DISCOVER 10.30.10.55:68255.255.255.255:67 · client broadcasts DHCP DISCOVER
④ OFFER 10.30.99.7:6710.30.10.55:68 · a second server answers — not the sanctioned 10.30.0.1
⑤ SPOT Two OFFERs in the capture → rogue DHCP at 10.30.99.7 confirmed
⑥ FIX Enable DHCP server blocking on the MS switch port hosting 10.30.99.7 → case closed
Press Play to step through Sneha's capture. Each press of Next advances one stage.

Capture options you'll actually use

🔎
Filter (BPF)
tap

Use host, port, net. Example: host 10.20.30.40 and port 443. Narrow first — full captures get noisy fast.

Duration / count
tap

Set a packet count or time limit. The Dashboard truncates long captures — set a sensible window so you don't miss the event.

☁️
Intelligent Capture
tap

On MR & MS — captures auto-trigger on anomalies, store in the cloud (~7 days), and are downloadable later. Great for "it only breaks at 9 AM".

🪞
Port Mirror
tap

On MS, mirror source ports to one destination port + a laptop running Wireshark. The destination port stops serving clients — that's expected.

The #1 packet-capture trap

Symptom you see: you configure a port mirror, plug in your laptop, and get zero traffic — or the mirrored client loses its connection. Cause: the mirror destination port stops processing normal protocols — it becomes a one-way "black hole" that only spits out copied frames and serves no client. If you forget to disable the mirror afterward, the next onsite tech inherits a dead port. Also: MS120/125/130 cannot capture on switch ports connected to another MS switch in the same Dashboard network. Mirror only as long as you need, then turn it off.

Pause & predict

You mirror four 1 Gbps uplink ports to a single 1 Gbps destination port during a busy hour. Your capture shows gaps and missing packets. Why?

Oversubscription. Four 1 Gbps sources can push up to 4 Gbps into one 1 Gbps destination — the port physically can't keep up, so frames are silently dropped from the capture. Mirror fewer ports, or capture closer to the problem (single client port), or use Intelligent Capture instead.
Quick check · Q1 of 10

Sneha runs a Dashboard packet capture on the MX LAN with filter port 67 or port 68 and sees TWO DHCP OFFERs for one DISCOVER. What has she found?

Correct: a. One DISCOVER should draw exactly one OFFER from the authorised server. Two OFFERs from two different source IPs means a second (rogue) DHCP server is on the segment. The capture's source IP names the culprit; enable DHCP server blocking on its switch port.

② Event Log — the network's diary

The Event Log lives at Network-wide > Monitor > Event log. Every association, 802.1X/PSK auth, DHCP lease, roam and dis-associate gets a timestamped line. The superpower is the Client filter: type a MAC, hostname or custom name and the log collapses to one user's story. Add the device filter and event-type filter to slice further.

Scenario · Rahul, L1 support at a TCS delivery centre

A developer complains her laptop "drops every few minutes". Rahul filters the Event Log to her hostname and immediately sees a repeating 802.11 disassociationreassociation pattern every ~90 seconds — a roaming/sticky-client problem, not an outage.

Event Log filtering flow — from raw firehose to one client's story A left-to-right flow: a busy unfiltered event log, then a client filter, then a device filter, then an event-type filter, producing a clean readable timeline of one client's association, auth, DHCP and roam events. Raw firehose 10:00 assoc clientA 10:00 dhcp clientB 10:01 auth clientC 10:01 roam clientA 10:02 disassoc clD 10:02 dhcp clientE 10:03 auth clientA 10:03 assoc clientF ...hundreds more... Client filter +device +type One client's story — hostname "lakshmi-lt" 10:00:12 802.11 association → AP-3F-04 10:00:13 WPA2 auth success 10:00:14 DHCP lease 10.30.10.55 /22 10:01:44 802.11 disassociation (idle) 10:03:11 802.11 disassociation (idle) 10:04:40 802.11 disassociation (idle) DIAGNOSIS Repeating disassoc every ~90 s = sticky-client / aggressive idle timeout — NOT a network outage.
Figure 2 — The Event Log funnel: filter the firehose down to one client and the fault pattern jumps out.
Dashboard path + filter you'd type 
Network-wide  >  Monitor  >  Event log
  Client:      lakshmi-lt          (hostname, MAC, or custom name)
  Device:      AP-3F-04
  Event types: association, disassociation, 802.1X, DHCP
Expected output 
10:00:12  association        AP-3F-04  ch149  -58 dBm
10:00:13  WPA2 auth          success
10:00:14  DHCP lease         10.30.10.55 (4h)
10:01:44  disassociation     reason: client idle timeout
10:03:11  disassociation     reason: client idle timeout
10:04:40  disassociation     reason: client idle timeout
Pause & predict

The Event Log for one client shows association then 802.1X auth failure repeating, but no DHCP line ever appears. Where is the fault?

Authentication, not IP. The client reaches the AP (association succeeds) but RADIUS rejects it — wrong credentials, expired cert, or a RADIUS server unreachable. DHCP never runs because the client never gets onto the network. Fix the 802.1X / RADIUS path before touching anything else.
Quick check · Q2 of 10

Rahul filters the Event Log to one laptop and sees disassociationreassociation every ~90 seconds. What's the most likely root cause?

Correct: b. A periodic disassoc/reassoc pattern for a single client points to roaming behaviour or an aggressive idle timeout, not a network-wide fault — if it were an outage, every client would show it. Check signal strength, min-bitrate, and idle-timeout settings for that SSID.

③ Meraki Insight — "network or app to blame?"

The hardest helpdesk question is "the app is slow — is it your network or their cloud?" Meraki Insight (MI) answers it. Web App Health assigns each monitored application a Performance Score, split into Network-Layer (latency, loss, jitter to the app) and Application-Layer (server response time, goodput). A score under 80% turns red and lists the affected networks.

🧒 ELI5: Insight is like a delivery-tracking app. It tells you whether your pizza is late because the road is jammed (network layer) or because the kitchen is slow (application layer) — so you stop yelling at the wrong person.
🏛 Architect view: MI separates per-flow goodput and application response time at the threshold boundary. WAN Health independently scores each uplink (incl. WAN2/LTE failover) on latency, loss, jitter and availability — design dashboards so a single red tile localises fault domain before any human investigates.
Scenario · Priya, network engineer at an HCL-managed account

Salesforce "is slow" across one branch. Priya opens Insight: the Network-Layer score is green (96%) but the Application-Layer score is red (61%). Translation: her LAN/WAN is healthy — the slowness is in the SaaS app / its CDN path. She closes the ticket against her network with evidence, not opinion.

▶ Insight splits the blame — watch it decide

"Salesforce slow" enters; Insight separates network from app and points the finger.

① COMPLAINT "Salesforce slow at Pune branch" hits the helpdesk
② OPEN MI Insight → Web App Health → select Salesforce → Pune network
③ NET-LAYER Network-Layer score = 96% · latency/loss/jitter to app all healthy
④ APP-LAYER Application-Layer score = 61% · server response time elevated
⑤ VERDICT Net green + App red → the SaaS app / its path is slow, not Priya's network
⑥ ACT Close ticket with evidence · escalate to app owner / check WAN Health on the failover uplink
Watch how MI converts a vague complaint into a measurable, defensible verdict.
Meraki Insight decision tree — is the network or the application to blame? A decision tree starting from an application-slow complaint, branching on Network-Layer score and Application-Layer score, leading to four verdicts: app fault, WAN fault, LAN/Wi-Fi fault, or healthy. "App is slow" open Insight → Web App Health Network-Layer score ≥ 80%? YES App-Layer ≥ 80%? All healthy look elsewhere APP / SaaS fault escalate to app owner NO WAN Health red? YES WAN / ISP fault check uplink, failover NO LAN / Wi-Fi fault Event Log + Live Tools Two scores + WAN Health localise the fault domain before a human touches anything.
Figure 3 — Insight decision tree: Network-Layer vs Application-Layer scores plus WAN Health point you straight at the fault domain.
Quick check · Q3 of 10

Insight shows a Web App with Network-Layer = 96% (green) and Application-Layer = 61% (red). What does this tell Priya?

Correct: c. Network-Layer green means latency/loss/jitter to the app are fine — Priya's LAN/WAN is healthy. Application-Layer red means server response time / goodput is the bottleneck, which lives on the SaaS/app side. She closes the network ticket with evidence and escalates correctly.

④ Live Tools — one-click checks, no CLI

Live Tools run from the device itself, straight in the Dashboard. On a switch: Switch > Monitor > Switches, click the switch name (not the checkbox), then the Tools tab. The MX has its own Live Tools too, including a traceroute / per-hop loss view. The headline tools:

📡
Ping
tap

From the device to any host. Verifies reachability + latency. Behaviour differs slightly per platform (MX/MS/MR) but the answer is the same: can it get there?

🔌
Cable Test
tap

TDR on copper (ANSI/TIA-568). Reports pair status + fault distance. Copper only — fibre needs DOM, not Cable Test.

🚀
Throughput
tap

Measures real link throughput from the device. Confirms whether the pipe delivers the speed the user expects.

💡
Blink LED + MAC/ARP
tap

Blink LEDs to find the right device in a rack; the MAC table / ARP tools show what's learned on each port — perfect for "which port is this device on?".

Scenario · Karthik, field engineer at a Flipkart warehouse

A barcode scanner on port 14 is dead. Karthik runs Cable Test from the Dashboard before driving 40 km onsite: it reports an open pair at 11 m. He tells the onsite tech exactly where to look — saving a wasted trip.

▶ Live Tools diagnosis ladder

"Port 14 device is dead" — climb the ladder one rung at a time.

① OPEN Switch → Monitor → Switches → click switch → Tools tab
② CABLE Run Cable Test on port 14 → result: open pair @ 11 m
③ MAC Check MAC table → port 14 shows no learned MAC (device not seen)
④ PING Ping the scanner's last-known IP 10.40.14.22100% loss
⑤ VERDICT L1 cable fault confirmed — not config, not the device. Replace the run.
⑥ GUIDE Blink LED on the switch so the onsite tech finds the exact unit + port fast
Notice the order: L1 (cable) → L2 (MAC) → L3 (ping). Climb only as far as you need.
Live Tools troubleshooting ladder mapped to the OSI stack A vertical ladder of Live Tools from Layer 1 to Layer 7 — Cable Test at L1, MAC table at L2, Ping and Throughput at L3 and L4, and Meraki Insight at L7 — with the guidance to climb only as far as the symptom requires. Climb the stack — only as far as the symptom L7 · Application Meraki Insight — Web App Health, response time, goodput L4 · Transport Throughput test — does the pipe deliver expected speed? L3 · Network Ping — reachability + latency to any host L2 · Data Link MAC table / ARP / Event Log — is the device even learned? L1 · Physical Cable Test (TDR) + Blink LED — copper faults & locating gear start low, climb up ⚠ Packet Capture cuts across ALL layers — use it when the ladder disagrees with itself. Cable Test is copper-only · fibre uses DOM, not the Cable Test rung.
Figure 4 — Live Tools as an OSI ladder. Start at L1 and climb; Packet Capture is the cross-layer truth when rungs disagree.
Pro tips that separate L1 from L2

1. Run Cable Test before dispatching a tech — it often turns a 40 km trip into a 2-minute remote diagnosis. 2. Pair the MAC table with the Event Log: "no MAC learned + no association event" = L1/physical; "MAC learned + auth failure" = L2/auth. 3. For intermittent issues, enable Intelligent Capture so the capture exists before you knew you needed it. 4. Always disable a port mirror when you're done — a forgotten mirror destination is a silent dead port.

Quick check · Q4 of 10

Karthik runs Cable Test on a switch port and it reports "open pair at 11 m". A colleague says "just run it again on the fibre uplink the same way." What's the issue with that advice?

Correct: a. Cable Test is a TDR for copper twisted-pair. Fibre faults are diagnosed with DOM (light levels, Rx/Tx power), a separate capability — running Cable Test on a fibre port gives no meaningful result.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from Meraki Documentation + community Q&A. For complex prod issues, paste your capture filter + Event Log slice into chat.techclick.in.

Common mistakes — symptom first, then cause

Mistake 1 — empty capture, blamed the tool

Symptom: you start a capture and see nothing. Cause: your BPF filter is too tight (typo in the host/port), the wrong interface is selected, or the traffic simply isn't crossing that device. Loosen the filter, confirm the interface, and verify the path with Ping first.

Mistake 2 — "the whole network is down" from one client's log

Symptom: one client's Event Log is full of disassociations and you declare an outage. Cause: you filtered to a single client and assumed it represented everyone. Clear the filter — if other clients are healthy, it's a client/RF issue, not an outage.

Mistake 3 — chasing the network when Insight says it's the app

Symptom: hours spent tuning Wi-Fi while users still complain. Cause: the Application-Layer score was red and the Network-Layer score was green — the fault was always in the SaaS app. Read both scores before you touch anything.

📝 Wrap-up — six more

You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Where in the Dashboard do you start a packet capture on a Meraki device?

Correct: d. Packet Capture lives under Network-wide > Monitor > Packet capture. Pick device + interface + filter, then view live in the browser or download the .pcap for Wireshark.
Q6 · Apply

A user roamed buildings and now "has no internet". You filter the Event Log to their hostname and see association + WPA2 auth success but no DHCP lease line. What do you check next?

Correct: b. Auth succeeded, so credentials and RF are fine. The missing DHCP line means the client never got a lease — investigate the DHCP scope, relay/helper, VLAN, or a possible rogue server (capture port 67/68 to confirm).
Q7 · Apply

You set up a port mirror on an MS switch to capture a client's traffic with Wireshark, but the client immediately loses connectivity. Why?

Correct: d. The destination (analyzer) port becomes a one-way "black hole" — it stops processing normal protocols and serves no client. Connect only your Wireshark machine there, keep the real client on its own port (a source), and disable the mirror when finished.
Q8 · Analyze

Insight WAN Health shows the primary WAN1 uplink red (high loss + jitter) while WAN2/LTE is green, yet users still complain. Sessions aren't failing over. What's the most likely gap?

Correct: c. WAN Health scores latency/loss/jitter/availability per uplink, including failover links. A "brown-out" (up but lossy) WAN1 won't trigger a hard down/up failover unless your SD-WAN performance policy is set to fail over on loss/latency thresholds. The fix is policy tuning, not hardware.
Q9 · Analyze

A capture on an oversubscribed mirror destination shows missing packets, so an engineer concludes "the network is dropping traffic". Why is that conclusion unsafe?

Correct: b. A capture artefact (oversubscribed mirror) can look exactly like real loss. Before concluding the network drops traffic, reduce the number of mirrored ports, capture closer to the source, or check interface drop counters. Distinguish tool artefacts from real faults.
Q10 · Evaluate

A manager says: "We don't need Meraki Insight — the Event Log and packet captures already tell us everything." For a fleet that runs business-critical SaaS, is that sound?

Correct: a. Event Log and captures are reactive, point-in-time tools — brilliant for a specific fault. Insight provides ongoing, per-application performance baselining and WAN scoring that answers "network or app?" instantly and catches degradation before users call. For SaaS-heavy fleets the proactive visibility is worth the license; it complements, not replaces, the other tools.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

🧠 Explain it back (self-explanation)

In one or two lines, write the rule that decides which tool you reach for first. Typing it yourself locks it into memory far better than re-reading.

👫 Teach a friend

Explain to a teammate why the mirror destination port loses connectivity, and why an oversubscribed mirror can fake "network loss". If you can teach it in 30 seconds, you own it.

⏰ Spaced recall — get a nudge in 3 days

Want a one-question recap emailed in 3 days so this sticks? Opt in (we only use it for this reminder).

Got it — we'll nudge you in 3 days. Keep practising in the Dashboard till then.

📒 Glossary

Packet Capture
A live snapshot of traffic on a Meraki device — viewable in the browser or downloadable as a .pcap for Wireshark.
Intelligent Capture
Auto-triggered, cloud-stored captures on MR & MS (~7-day retention) — great for intermittent faults you can't reproduce on demand.
Event Log
A searchable, timestamped timeline of association, auth, DHCP, roaming and dis-associate events, filterable by client and device.
Meraki Insight (MI)
A paid add-on adding Web App Health and WAN Health analytics — per-app performance scoring split into Network-Layer and Application-Layer.
Performance Score
A 0–100% Insight metric; below 80% turns red. Network-Layer covers latency/loss/jitter; Application-Layer covers server response time and goodput.
Cable Test
A copper-only TDR Live Tool (ANSI/TIA-568) reporting pair status and fault distance; fibre uses DOM instead.
Port Mirror
Copies traffic from source ports to one destination port for analysis; the destination port stops serving normal clients while active.
Goodput
The true application payload data rate (excluding overhead/retransmits) — one of Insight's Application-Layer thresholds.

📚 Sources

  1. Cisco Meraki Documentation — Packet Capture Overview (live view, .pcap download, Intelligent Capture, ~7-day retention). documentation.meraki.com
  2. Cisco Meraki Documentation — Meraki Event Log (Network-wide > Monitor > Event log; client + device filtering). documentation.meraki.com
  3. Cisco Meraki Documentation — Using the MS Live Tools & Using the Ping Live Tool & Using the MX Live tools. documentation.meraki.com
  4. Cisco Meraki Documentation — MI Web App Health Overview (Network-Layer vs Application-Layer, <80% threshold) & MI WAN Health Overview. documentation.meraki.com
  5. Cisco Meraki Documentation — Packet Captures and Port Mirroring on the MS Switch (destination-port behaviour, oversubscription). documentation.meraki.com
  6. The Meraki Community — Real-time traffic/session monitoring thread & Packet Capture on a Mirrored Port thread. community.meraki.com
  7. Cisco Learning Network — 500-220 ECMS Exam Topics (Troubleshooting = 30% of blueprint). learningnetwork.cisco.com

What's next?

That's the full Meraki visibility toolbox — Packet Capture, Event Log, Insight and Live Tools. You can now diagnose a complaint top-to-bottom before the second phone call comes in. Keep building: browse the rest of the Techclick lesson library to deepen your cloud-managed networking skills.

Browse all lessons → ← Recap Dashboard Architecture