TTechclick All lessons
Juniper Mist · Operations · TroubleshootingInteractive · L2 / L3

Juniper Mist Troubleshooting & Marvis Actions — Dynamic Packet Capture & Anomalies

Stop chasing tickets one client at a time. Mist's AI surfaces the real problem org-wide, captures the packets for you the instant a client fails, and flags drift before users notice. Pick a path, watch the action lifecycle play out live, and own Mist troubleshooting in 11 minutes.

📅 2026-05-31 · ⏱ 11 min · 2 animated demos · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Juniper Mist troubleshooting the AI-era way — see how Marvis Actions surfaces org-wide issues, how dynamic packet capture auto-fires on a client failure, how anomaly detection flags baseline drift, and the Marvis Assistant playbook — visual, interactive, 11 minutes.

By the end you will be able to

Read it as:

Pick a path — jump straight to it

1

Marvis Actions

The proactive AI that bubbles up org-wide issues — and the four action families.

 2

Self-driving vs notify

When you let Marvis fix it itself, and when it just tells you. The trust dial.

 3

Dynamic packet capture

Auto-captured PCAP on a client failure — no console, no timing the bug.

 4

Anomalies & the playbook

Baseline drift, false-positive triage, and the Marvis Assistant fix flow.

First — the mistake almost every newcomer makes

A user files a ticket: "Wi-Fi keeps dropping." The new engineer opens that one client, stares at the timeline, and waits for the drop to happen again so they can grab a packet capture. Forty minutes later, nothing has reproduced, and the queue has six more tickets just like it.

Here is the trap: treating Mist like a manual sniffer. Mist is an AI-native operations platform. The smart move is to ask a different question — "is this one user, or are 30 users hitting the same root cause?" — and let Marvis Actions answer it. The packet capture you wanted? Mist already grabbed it automatically the moment the client failed.

🧒 ELI5: Imagine a school nurse who, instead of waiting for each kid to walk in sick, watches the whole school and says "12 kids in Class 4B have the same cough — check the AC vent." That's Marvis Actions. And it already took a photo of the problem before you asked.
🏛 Architect lens: Marvis Actions is an org-scoped anomaly-and-remediation pipeline sitting on top of streaming AP / switch / WAN telemetry. Design your ops model around action queues, not per-client RCA. Decide your self-driving trust boundary per action class, and treat dynamic PCAP as evidence that is captured at the edge and lazily collected — not something a human triggers.

So the right mental model is: Marvis finds and ranks the problem (Actions), captures the evidence for you (dynamic PCAP), and watches for drift (anomaly detection) — you decide and confirm. Let's build that model from the ground up.

Warm-up · before we start

Gut check: a user reports their laptop "won't connect." What's the fastest first move in Mist?

Correct: b. Mist's strength is org-wide, root-caused triage. Check Marvis Actions for a shared cause (missing VLAN, bad cable, auth failure), then read the client's events — a failed connection already triggered a dynamic packet capture you can download.
Warm-up · before we start

When does a Mist wireless dynamic packet capture get recorded?

Correct: b. Dynamic PCAP auto-fires on a connection failure (association, auth, DHCP, etc.). The capture is saved against that client event — look for the paperclip icon in Client Events on the Insights page. Manual captures also exist, but the "dynamic" magic is the auto-trigger.
Warm-up · before we start

Marvis can run an action by itself or only suggest it. What is the safest default for a fix that reboots or reconfigures a port?

Correct: b. Start notify-only, watch the recommendations land correctly for a few weeks, then promote low-risk classes to self-driving. Mist ships some actions self-driving by default (e.g. Intermittent WAN Connectivity) and lets you flip others — the trust dial is yours.

① Marvis Actions — the proactive AI brain

Most monitoring tools are reactive: they show you a graph and leave you to interpret it. Marvis Actions is the opposite. It continuously analyses real-time telemetry from APs, switches and WAN Edges across your entire organisation, then bubbles up the highest user-impacting issues — already root-caused, with a fix attached.

Instead of 40 "slow Wi-Fi" tickets, you get one Action: "Missing VLAN 30 on 4 switch ports at the Pune site." Fix the one cause; 40 tickets evaporate. That is the whole point.

Sneha · L1 at a large IT-services firm Sneha opens Marvis Actions on a Monday and sees a single high-priority card: "Missing VLAN" on switch 10.20.4.7, ports ge-0/0/12–15. She had 18 helpdesk tickets queued from the 3rd-floor wing. One config push, all 18 close. Marvis even told her which VLAN ID was expected versus seen.

Actions are grouped into four families. Memorise these — they map directly to the JNCIA-MistAI and JNCIS-MistAI blueprints:

Access points, switches and WAN edges stream telemetry to the Mist cloud, where Marvis correlates them, root-causes the issue, and surfaces a single ranked Action with a recommended or self-driving fix. Access Points RF, assoc, auth, DHCP Switches VLAN, PoE, cable, ports WAN Edges uplink, peer, gateway telemetry Marvis AI Correlate across org Root-cause (not symptom) Rank by user impact Attach a fix ONE ACTION Missing VLAN 30 switch 10.20.4.7 ports ge-0/0/12-15 closes 18 tickets Connectivity Switch / Wired WAN Edge Layer 1 (cable/fiber) From a thousand symptoms to one root-caused Action
Marvis ingests org-wide telemetry, correlates it, root-causes the issue, and presents a single ranked Action grouped into one of four families.

The four families cover real-world failure modes you will see every week:

🔌
Connectivity
tap to flip

DHCP scope failures, persistently failing clients, authorisation/auth failures, AP-to-cloud connectivity. The "users can't get online" family.

🧩
Switch / Wired
tap to flip

Missing VLANs, negotiation (duplex) mismatch, L2 loops, misconfigured / disabled ports, wired auth failures, traffic loops on EX switches.

🌐
WAN Edge
tap to flip

Bad WAN uplink, intermittent WAN connectivity, gateway/peer issues on SRX and Session Smart Router edges. Keeps the branch online.

🔧
Layer 1
tap to flip

Bad cable and the newer Bad Fiber Optics action — found from frame errors, link errors and traffic patterns. The physical-layer family.

▶ Watch a Marvis Action go from telemetry to closed

Click Play. Each stage lights up as the issue is detected, root-caused, surfaced, fixed and verified.

① INGEST 4 switch ports on 10.20.4.7 report clients that associate but never get an IP
② CORRELATE Marvis groups 18 failing clients → same switch, same expected VLAN 30, port config shows VLAN missing
③ ROOT-CAUSE Not "slow Wi-Fi" — the real cause is VLAN 30 absent on ge-0/0/12–15
④ SURFACE One ranked Action appears under Marvis → Actions, tagged Switch / Wired, high user-impact
⑤ FIX Self-driving (if enabled) adds the VLAN, or you click the recommended fix. 18 clients reconnect.
⑥ VERIFY Marvis confirms the clients recovered and auto-closes the Action. No human re-check needed.
Press Play to step through the lifecycle. Each press of Next advances one stage.
Quick check · Q1 of 10

Sneha sees one Marvis Action covering 18 failing clients on one switch. What is the single biggest advantage over reading 18 separate client timelines?

Correct: a. Marvis Actions trades per-symptom triage for root-cause-once. The 18 tickets share a missing VLAN; one fix closes them all. That is the entire value proposition — root cause, not symptom hunting.

② Self-driving vs notify-only — the trust dial

Every Marvis Action can run in one of two modes. This is the single most important operational choice you make, so get it crisp.

Notify-only: Marvis detects and recommends, but waits for a human to click the fix. Self-driving: Marvis applies the fix automatically and then verifies it. Some actions ship self-driving by default; others you promote once you trust them.

Rahul · NOC engineer at a managed-services provider Rahul runs 60 branch sites. He leaves Intermittent WAN Connectivity self-driving (low risk, Mist's default) so flapping links self-heal at 2 AM without paging anyone. But he keeps Bad WAN Uplink notify-only — that one can mean physically swapping a circuit, and he wants eyes on it first. In a 2025 update Mist actually moved Bad WAN Uplink off self-driving and Intermittent WAN Connectivity onto it by default — exactly Rahul's instinct.
A flowchart that asks whether the fix is reversible and low-risk, whether you trust the action class yet, and whether the change is disruptive, ending in self-driving, notify-only, or keep watching. Self-driving or notify-only? Decide per action class New Marvis Action Is the fix low-risk & reversible? NO Notify-only human approves YES Do you trust this class yet? NO Notify-only first watch a few weeks YES Self-driving auto-fix + auto-verify
A simple, defensible policy: reversible + trusted + non-disruptive → self-driving; anything else stays notify-only until proven.

Pause & Predict

You enable self-driving on a brand-new action class on day one across all 60 sites. What's the most likely regret?

An automated fix fires on a false positive — across 60 sites at once — before you ever saw it land correctly. Self-driving multiplies both the upside and the blast radius. Always run a new class notify-only first, confirm the recommendations are right for your environment, then promote it. Mist itself reclassifies which actions are self-driving-by-default precisely to manage this risk.
Quick check · Q2 of 10

Priya wants flapping branch uplinks to self-heal overnight without paging the NOC, but wants a human to confirm any action that may need a physical circuit swap. Which split matches Mist's 2025 defaults?

Correct: b. Mist made Intermittent WAN Connectivity self-driving by default (low-risk, self-heals flaps) and moved Bad WAN Uplink off self-driving (it may mean a circuit/hardware change a human should own). Priya's intent maps exactly to those defaults.

③ Dynamic packet capture — the evidence captures itself

This is the feature that makes Mist troubleshooting feel like cheating. Normally, capturing a wireless failure means SSHing to an AP, starting tcpdump, and praying the bug reproduces while you watch. Mist flips it: whenever a connection failure occurs between a client and an AP, Mist automatically records a short dynamic packet capture and saves it against that client event.

You find it in Insights → Client Events. Any event with a capture shows a paperclip icon next to the event name. Click it, download the .pcap, open it in Wireshark — the exact frames from the moment of failure, captured by the radio actually serving the client (so OFDMA, MU-MIMO, retries — all of it is there).

Ananya · L2 wireless engineer at an enterprise NOC A VIP laptop "randomly drops" twice a day. Ananya can never catch it live. She opens the user's Client Events, filters to failures, and finds two events with the paperclip. The PCAP shows the client sends a DHCP Discover but never gets an Offer — a DHCP scope exhaustion at exactly the busy hour. No live capture, no guesswork, root cause in five minutes.

▶ Watch a dynamic packet capture fire on a failure

A client fails to connect — and Mist captures the proof before you even open the dashboard.

① ASSOCIATE Client phone · 10.30.7.55 associates to AP in zone floor-3-corp
② DORA STARTS Client sends DHCP Discover → expecting an Offer from 172.16.0.10
③ FAILURE No Offer arrives — connection fails. This is the auto-trigger event.
④ AUTO-CAPTURE The serving radio writes a short dynamic PCAP of the exchange — no human, no console
⑤ ATTACH Capture is saved to the client event in Insights → Client Events, marked with a 📎 paperclip
⑥ ANALYSE You download the .pcap, open in Wireshark → Discover with no Offer = DHCP scope exhausted
See where the failure is detected (stage 3) vs where the evidence is captured and attached (stages 4–5).
Wireshark display filter — isolate the failed DHCP in the dynamic PCAP 
bootp && wlan.addr == aa:bb:cc:11:22:33   # client MAC from the event
# or, post-2024 Wireshark:
dhcp && wlan.addr == aa:bb:cc:11:22:33
Expected output (frame list) 
  812  3.114  10.30.7.55  →  255.255.255.255  DHCP  Discover  (xid 0x5e2a)
  977  4.130  10.30.7.55  →  255.255.255.255  DHCP  Discover  (xid 0x5e2a)  [retry]
 1140  5.151  10.30.7.55  →  255.255.255.255  DHCP  Discover  (xid 0x5e2a)  [retry]
        — no Offer / Ack from 172.16.0.10 —  scope exhausted
The #1 dynamic-PCAP trap

Symptom you see: a user says "it dropped at 3 PM" but the client-event list looks empty for that minute. Cause: dynamic captures fire on connection failures, not on every roam or every "feels slow" moment, and they are short. If the client simply roamed or had low throughput without an outright failure, there may be no PCAP — use a manual capture or the Marvis Assistant timeline instead. Don't assume "no paperclip" means "no problem."

Quick check · Q3 of 10

Ananya opens a failed client event, downloads the dynamic PCAP, and sees three DHCP Discovers with no Offer. What is the most defensible root cause?

Correct: c. The client successfully associated and authenticated (it reached the DHCP stage), so RF and auth are fine. Discover-with-no-Offer points squarely at DHCP: exhausted scope, missing relay/helper, or a VLAN that doesn't reach the DHCP server. The PCAP tells you exactly which DORA step broke.

④ Anomaly detection + the Marvis Assistant playbook

Marvis Actions handles known failure patterns. But what about the weird, never-seen-before drift? That's anomaly detection. Marvis learns each network's normal baseline from device telemetry, system logs and performance metrics, then flags statistically significant deviations under Insights → Events → Potential Anomalies and Optimizations.

Mist uses techniques like LSTM models to learn temporal patterns and cut false positives. The key reading skill: an anomaly is a deviation from this site's own baseline, not an absolute threshold. A 60% client-failure rate might be normal for a chaotic guest network and a screaming red flag on a clean corporate SSID.

A timeline chart showing a normal baseline band that Marvis learns, a metric line that stays inside it, then spikes outside the band and is flagged as a potential anomaly with an event card. An anomaly is drift from THIS site's learned baseline failure rate time (learned over ~weeks) learned normal band ⚠ Potential Anomaly failure rate 3× baseline site: BLR-HQ · 18:00 IST measured metric normal band flagged deviation
Marvis learns the normal band, then flags the spike outside it as a Potential Anomaly — relative to this site, not an absolute number.

When a real complaint lands, the fastest path is the Marvis Conversational Assistant. Type a natural-language question — Marvis turns it into the right query, pulls the client's events, the relevant PCAP, and the likely cause.

Marvis Conversational Assistant — ask it like a human 
troubleshoot client aa:bb:cc:11:22:33
# or
why is John Doe having a bad experience on the BLR-HQ site?
Expected reply (paraphrased) 
Client aa:bb:cc:11:22:33 had 4 DHCP failures in the last 24h on
AP "blr-hq-ap-312" (VLAN 30). DHCP Discover sent, no Offer received.
Likely cause: DHCP scope/relay on VLAN 30.  [dynamic PCAP attached]
Related Marvis Action: "DHCP Failure" — 11 other clients affected.

Here is the 4-step playbook to internalise — it runs in under two minutes:

Check Marvis Actions
tap

Is this org-wide? One Action covering many clients means a shared root cause — fix once. Always look here first.

Ask Marvis Assistant
tap

troubleshoot client <MAC>. Natural-language RCA that pulls events, PCAP and the likely cause in one reply.

Open the PCAP
tap

Client Events → 📎 paperclip → download → Wireshark. Read which step of assoc/auth/DORA actually broke.

Check Anomalies
tap

Insights → Potential Anomalies & Optimizations. Drift from baseline catches the weird stuff Actions don't yet name.

A two-column cheat sheet pairing symptoms like org-wide outage, single-user drop, never-seen drift and physical link errors with the Mist tool to reach for first. Symptom → which Mist tool first The symptom you see Reach for this first Many users down, one site/switch "whole floor's Wi-Fi is dead" Marvis Actions (root-cause once) One user fails to connect "my laptop won't get online" Client Events 📎 dynamic PCAP "It worked yesterday, feels off" no clear failure, just drift Potential Anomalies & Optimizations Flaky link, CRC / frame errors port re-negotiates, packet loss Layer 1 Actions (Bad Cable / Fiber) "Just tell me what's wrong" need fast RCA, plain English Marvis Conversational Assistant Golden rule: org-wide first (Actions), then the individual (PCAP / Assistant), then drift (Anomalies).
Pin this. Match the symptom to the right tool and you skip the 40-minute wild-goose chase.

A single VIP complains of "slow Wi-Fi" but there's no failure event and no Marvis Action. Where do you look next?

Pause & Predict

Potential Anomalies & Optimizations, plus the Marvis Assistant on that client. "Slow" without an outright failure often won't generate a dynamic PCAP or a named Action. Anomaly detection catches baseline drift (e.g. capacity or roaming degradation), and the Assistant timeline shows SLE failures like throughput or coverage for that specific user.
The false-positive trap

Symptom you see: Marvis flags a "high failure rate" anomaly on your guest SSID and a junior engineer panics. Cause: guest networks naturally churn — captive-portal drop-offs, devices that connect-and-leave. The anomaly is relative to baseline; a noisy network's baseline is already high. Validate against the actual client experience and the PCAP before you treat every flag as an outage. Marvis tunes this with LSTM models, but you still apply judgement.

Quick check · Q4 of 10

An EX switch port keeps re-negotiating and clients on it see intermittent loss. There are CRC/frame errors climbing. Which Marvis family will surface this fastest?

Correct: b. Frame errors, link errors and traffic patterns are exactly what the Layer 1 family (Bad Cable, and the newer Bad Fiber Optics) uses. A re-negotiating port with rising CRCs is a textbook bad-cable signature, not a DHCP or WAN problem.

Pause & Predict

Why does Mist capture the dynamic PCAP using the radio that's actually serving the client, rather than a separate monitor radio?

So the capture reflects exactly what the client experienced — same channel, same modulation, same OFDMA/MU-MIMO scheduling, same retries. A separate monitor radio on a different channel or with different timing can miss frames or show a different reality. Capturing on the serving radio means the PCAP is the ground truth of that session.
Three pro-tips that separate L2 from L3

1. Always triage org-wide before individual — open Marvis Actions before you open a single client. One missing VLAN can masquerade as 30 unrelated tickets. 2. Promote actions to self-driving gradually: notify-only → observe → self-driving, per class, never all at once. 3. Treat a missing paperclip as "no failure event," not "no problem" — for slow-but-connected complaints, go to Anomalies + the Assistant, not the PCAP list.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from Mist / Juniper docs + community write-ups. For a live production issue, paste the client MAC + the PCAP findings into chat.techclick.in.

📝 Wrap-up — six more

You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Apply

Where in the Mist portal do you download an auto-captured wireless PCAP for a failed client connection?

Correct: a. Dynamic captures attach to the failed client event under Insights → Client Events, flagged with a paperclip. Click it, download the .pcap, open in Wireshark. No SSH, no manual trigger for the auto-capture case.
Q6 · Analyze

A dynamic PCAP shows the client completing association and 802.1X auth, then sending DHCP Discovers with no Offer. Which layer is the problem on, and which Marvis family would also flag it?

Correct: c. Association and auth succeeded, so RF and 802.1X are fine — the break is at DHCP (Discover with no Offer). That maps to the Connectivity family's DHCP Failure action, which would correlate it across all affected clients.
Q7 · Analyze

You enable a new switch-action class as self-driving across 40 sites immediately. Two days later, several ports were auto-reconfigured incorrectly. What's the core process failure?

Correct: d. Going straight to self-driving on an unproven class multiplied a false positive across 40 sites. The discipline is notify-only first → observe correct recommendations → promote per class. The tool isn't the failure; the rollout process was.
Q8 · Analyze

Marvis flags a "high client-failure-rate" anomaly on the GUEST SSID at a mall site. Corporate SSID is clean. Before escalating, what's the right read?

Correct: a. Anomaly detection flags deviation from a learned baseline. Guest networks churn (captive-portal drop-offs, connect-and-leave devices), so a higher failure rate may be normal. Validate with the client experience and the dynamic PCAP before escalating — judgement on top of the AI.
Q9 · Evaluate

A NOC lead wants one policy for the whole org: "every Marvis Action self-driving for fastest resolution." Evaluate this.

Correct: b. A blanket self-driving policy ignores blast radius. Low-risk, reversible, trusted classes (e.g. Intermittent WAN Connectivity) suit self-driving; disruptive or physical-change classes (Bad WAN Uplink) belong notify-only. Mist ships exactly this split by default — the policy should be per-class, not org-wide.
Q10 · Evaluate

Two engineers debate: A says "open the failing user's client timeline first," B says "open Marvis Actions first." For a wave of same-floor complaints, who's right and why?

Correct: b. A wave of same-area complaints screams "shared cause." Marvis Actions correlates org-wide and root-causes it, so one fix closes the lot. Drop to the individual client timeline and PCAP only when Actions shows no shared cause — org-wide first, individual second.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

🧠 Lock it in — explain it back

In one or two sentences, explain to a teammate why you check Marvis Actions before opening a single user's client timeline. Teaching it is the fastest way to remember it.

✓ We'll nudge you. Saved locally.

📖 Glossary — say these like an L3

Marvis Actions
Proactive AI that scans the org, root-causes high-impact issues, and surfaces one ranked Action with a fix.
Self-driving
An action Marvis applies and verifies automatically, no human click.
Notify-only
An action Marvis detects and recommends, but waits for a human to apply.
Dynamic PCAP
Short packet capture auto-recorded on a client connection failure, attached to the client event (paperclip).
Anomaly detection
Flags deviations from each network's learned baseline under Potential Anomalies & Optimizations.
Marvis Assistant
Conversational, natural-language troubleshooting — "troubleshoot client <MAC>".
Layer 1 Action
Physical-layer family: Bad Cable and Bad Fiber Optics, from frame/link errors.
SLE
Service Level Expectation — Mist's measured score for an outcome like Throughput, Coverage or Capacity.

📚 Sources

  1. Juniper Networks Docs — Marvis Actions Overview, Connectivity / Switch (Wired) / WAN / Layer 1 Actions, and Marvis Actions: Back-End Operations. juniper.net/documentation
  2. Juniper Networks Docs — Dynamic and Manual Packet Captures (Mist Wireless): auto-trigger on connection failure, serving-radio capture, Client Events paperclip. juniper.net/documentation
  3. Mist Documentation — Dynamic Packet Captures & Wireless Packet Captures — Troubleshooting When All Else Fails: DORA failure captures, Wireshark download. mist.com/documentation
  4. Juniper Networks Docs — Potential Anomalies Detected by Marvis & Anomaly Detection Event Card: baseline learning, LSTM, Potential Anomalies & Optimizations tab. juniper.net/documentation
  5. Juniper Networks Docs — Troubleshoot Specific Connectivity Issues by Using the Marvis Conversational Assistant. juniper.net/documentation
  6. Juniper Networks — November 2025 & August 2025 Mist Product Updates: Bad Fiber Optics added; Bad WAN Uplink off self-driving; Intermittent WAN Connectivity self-driving by default; WPA3 default. juniper.net/documentation
  7. Juniper Certification — Mist AI, Associate (JNCIA-MistAI / JN0-253) & JNCIS-MistAI-Wireless / -Wired blueprints: monitoring & analytics, anomaly detection, AI-driven events. juniper.net/training/certification
  8. Community write-ups — mrn-cciew "Wi-Fi PCAP with Mist" and Wolfe Systems "Dynamic Packet Capture in Juniper Mist" (practitioner field notes). mrncciew.com / wolfesystems.com.au

What's next?

That wraps the Juniper Mist series — from architecture and AP onboarding through RF/RRM, WLAN design and now AI-driven troubleshooting. Keep going: browse the full library and pick your next vendor track, or revisit any Mist lesson to lock it in.

Browse all lessons → ← Recap RF & RRM