Juniper firewall: duplicate IP address detected
By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30
| Vendor | Juniper |
|---|---|
| Operating system | Junos OS |
| Category | IP / Network Issue |
| Skill level | Intermediate to advanced |
| DIY-able? | Yes with CLI access; some scenarios need JTAC + RMA. |
What this guide covers
Fix duplicate IP address detected on a Juniper firewall.
Step-by-step
- Use the ARP table to find the MAC currently bound to the IP.
- Trace the MAC to a switch port via the MAC table.
- Identify the offending device + owner.
- Resolve: change the offending device to a different IP.
CLI / commands
show interfaces terse
show interfaces ge-0/0/0 extensive
show chassis hardware
When the issue persists
- Open a JTAC case with the tech-support bundle.
- Provide the timeline + recent changes.
Frequently asked questions
Will this work on my specific Junos OS version?
The procedure reflects current Junos OS behaviour. Older releases may need minor syntax adjustments. use the CLI help (? or tab-completion) to verify.
Should I open a JTAC case immediately?
Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.
Where can I find the Juniper official documentation?
https://kb.juniper.net/, search the product family + feature name.
Is this procedure safe in production?
Test in a lab or maintenance window first. Capture pre-change state so you can roll back.
Related guides
Related fixes
Related guides worth a look while you sort this one out:
- Juniper router: duplicate IP address detected
- Juniper switch: duplicate IP address detected
- Juniper firewall: ARP poisoning / spoofing detected
- Juniper firewall: asymmetric routing detected
- Juniper firewall: DHCP clients not receiving IP
- Juniper firewall: HSRP / VRRP virtual IP not responding
References
- Juniper support portal: https://support.juniper.net
- Juniper knowledge base: https://kb.juniper.net/
- Juniper security advisories: https://supportportal.juniper.net/s/global-search/Security%20Advisory
- Open a case: https://supportportal.juniper.net/s/case
Reference material, not professional advice. Validate against your specific Junos OS version and test in a non-production environment before applying.
Common patterns we see
When this symptom shows up on a Juniper device, three patterns repeat:
1. Recent firmware update changed behavior: the symptom started within a week of an OTA push. Rollback or wait for the hotfix. 2. Environmental trigger, temperature, humidity, line voltage, network changes. Look at what changed in the environment. 3. Cumulative wear. components like batteries, gaskets, fans degrade over time. Replace the consumable rather than chasing a software fix.
Knowing which pattern applies saves time on the wrong fix.
Safety + preconditions
Before any work on a Juniper device:
- Unplug from mains for any internal-access procedure.
- Discharge stored energy (capacitors in PSUs, residual battery charge) per manufacturer guidance.
- Use ESD-safe handling for boards and modules, no carpet, no wool sleeves.
- Avoid moisture; never apply liquids near vents or connectors.
- If you smell smoke, see scorch marks, or feel uneven heat, stop and escalate.
Verification checklist
After applying the fix on your Juniper device, confirm:
- The original symptom is no longer reproducible.
- Related features (status LEDs, app sync, paired accessories) still work.
- The device responds to a soft reboot without the fault returning.
- Any error codes that were on display have cleared.
- Documentation (your service log, the brand companion app) reflects the change.
When to call Juniper support instead
Escalate if:
- The same symptom returns within 24 hours of a clean fix.
- You see physical damage (burn marks, swollen battery, cracked PCB).
- The device is in warranty and a hardware replacement is the cheaper outcome.
- Repair requires specialised tools you don't own (alignment jigs, calibration software).
- Following the official path keeps the warranty intact, which matters more than the time spent.
More frequently asked questions
Will this void my warranty?
Applying official firmware updates and following the user manual will not affect warranty. Opening sealed components, jumping safety circuits, or using third-party parts can void warranty in most jurisdictions.
Does this affect other devices on my network?
Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.
Is it safe to apply during business hours?
If the device is in production use, apply during a scheduled maintenance window. Most procedures need 2-15 minutes of downtime. Capture pre-change state so you can roll back if needed.
How often should I run preventive checks?
Quarterly for most consumer devices; monthly for production / commercial devices. Set a calendar reminder so the device stays healthy between issues.
What if the fix returns after a reboot?
Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).
Topology deep dive. where this fits in a BFSI data center
Picture the typical India BFSI two-tier campus the way I see it at the Chennai Siruseri TCS BFSI tenant cage. North-south traffic comes off the dual-PE handoff from the carrier (commonly Cyber Swachhta Kendra advisory required for any BFSI deployment; CERT-In 6-hour incident reporting window), terminates on a pair of MX240 or SRX1500 firewalls, and the EX4400 stack sits behind that as the leaf into the trading-floor server racks. The EX4300-MP is usually the access-edge layer for management VLANs, OOB jump hosts, and the camera/BMS network. That topology decides how risky a Junos upgrade actually is for you.
Junos uses FreeBSD underneath. `start shell` drops you into a real shell. `tcpdump`, `top`, `df -h` all work. SOC engineers from Linux backgrounds adapt fastest.
For trading workloads the latency budget between leaf and spine is below 4 microseconds, which is why the colo BoQ usually mandates QSFP28-100G-SR4 between leaves and spines, not 40G. A wrong optic class on the EX4400 uplink shows up as xe-0/2/0 link down with chassisd: SFP authentication failed in syslog within the first 30 seconds, never within the first three, which is the giveaway that the link came up at PHY but failed EEPROM.
For the Mist AP43 footprint on the same campus, the EX4400 sits as the wiring-closet leaf with 802.3at PoE+ on the access ports. The Mist cloud talks back via TLS 1.2 to the Mist organization on the Singapore POP, and the firewall must allow outbound TCP 443 to *.mistsys.net from the AP management VLAN. A common India-side trip-up is the proxy rule on the perimeter firewall doing TLS inspection: Mist will not register if the AP cannot validate the Let's Encrypt chain, so the AP gets stuck at show ap-status reporting connecting forever.
Configuration walkthrough, the operational ritual
Whatever the symptom, the Junos response sequence on tracking the rogue MAC and quarantining the port is the same shape: capture state first, then plan the change, then run a commit-confirmed window so you have a free rollback. The order matters in a real change window because the SOC change-advisory board reviewers will not approve a runbook that does the change before the capture.
Here is the ritual I run in the BFSI colos. It is unglamorous and that is the point.
# Layer 2 / forwarding plane diagnostics
show ethernet-switching table summary
show ethernet-switching mac-learning-log
show arp no-resolve
show interfaces vlan
show route forwarding-table family inet summary
# Spanning Tree + VLAN
show spanning-tree bridge
show spanning-tree interface
show vlans extensive
show ethernet-switching interface
# Firewall filter + policer state
show firewall
show firewall filter VLAN_FILTER detail
show policer
# TCAM + ASIC counters
show pfe statistics traffic
show pfe filter hw summary
request pfe execute target fpc0 command "show jnh 0 exception"
Two things to watch out for. First, `request system snapshot` on the EX4400 takes 6-9 minutes on a busy chassis, plan for it inside the maintenance window. Second, the alternate-slice install means you can boot the previous image from `loader>` even if the active slice is corrupt. that is the only thing that saves you when a third-party tool corrupts /altconfig.
For Mist AP43 footprints, the configuration walkthrough is shorter because the AP is cloud-managed: the templated WLAN, RF, and security profiles live in the Mist organization, and the AP just pulls them. Local CLI is for diagnostics, not config push. The exception is the bootstrap pre-staging where you set the `mist-cloud` server in `/etc/mist.conf` for air-gapped sites that can't reach terminator.mistsys.net at first boot.
Troubleshooting commands by platform
Real syslog signatures from the colos. If you see any of these on a Junos device, the playbook is different:
xmlproxyd: connection refused, clear the alarm with the relevant `request` command, then capture `show system core-dumps` before reload. The core file tells JTAC whether it is software or hardware.PR-1701204 VC split-brain on power blip: usually correlates with an in-flight commit or a PFE drift. `show pfe statistics traffic` shows whether the data plane is actually impacted; the control plane error rarely affects forwarding by itself.PR-1689432 LACP corner case, almost always optic-related on the EX4400 family. Pull the optic, blow it clean with isopropyl alcohol (95%+) on a fibre wipe, reseat, capture `show interfaces diagnostics optics xe-0/2/1` for the Rx power reading.
For multi-vendor comparison, the equivalent commands look like:
| Function | Junos | Cisco IOS-XE | Huawei VRP | HPE Comware |
|---|---|---|---|---|
| Version + build | show version | show version | display version | display version |
| Hardware inventory | show chassis hardware | show inventory | display device | display device manuinfo |
| Interface state | show interfaces terse | show ip int brief | display interface brief | display interface brief |
| MAC table | show ethernet-switching table | show mac address-table | display mac-address | display mac-address |
| Routing table summary | show route summary | show ip route summary | display ip routing-table statistics | display ip routing-table statistics |
| BGP peer state | show bgp summary | show ip bgp summary | display bgp peer | display bgp peer |
| Save config | commit / commit and-quit | write memory | save | save |
Knowing the equivalents matters in India BFSI environments because vendor consolidation is rarely clean. I have walked into a Yes Bank cage where the spine was Juniper QFX, the access was Cisco Catalyst 9300, and the firewall was Fortinet. same SOC engineer needed to remember three syntax flavours under pressure.
India compliance + deployment notes
Some India-specific things that catch out engineers from US/EU backgrounds when they take on a BFSI Junos deployment:
- DoT trusted-source order (2021): Any device handling carrier-grade telco interconnect needs to be from a trusted-source-list vendor. Juniper is on the list; that's why BSNL/MTNL Tier-2 town backhaul refreshes have shifted to EX/MX from earlier Huawei kit.
- MeitY DPDP Act 2023: Personal data of Indian users must stay in India. For BFSI customer data flows through your EX/MX path, syslog and NetFlow exports must terminate at an India-located collector. Cyber Swachhta Kendra advisory required for any BFSI deployment; CERT-In 6-hour incident reporting window.
- CERT-In 6-hour rule: Any incident on BFSI gear must be reported within 6 hours to CERT-In, with the prescribed format. Build your runbook to capture `request support information` and `show log messages | last 500` before any reload, otherwise the forensics window is gone.
- RBI master direction: The Junos device handling banking traffic must reside in a MeitY-empaneled facility. Reliance Jio Business IP-1 link as the secondary path, BGP AS 55836 announcing /29 customer prefix.
- GeM procurement: Public-sector BFSI buys (SBI, Bank of Baroda, Canara Bank) go through GeM tenders. The JTAC AMC line item is named "OEM TAC Support 24x7x4" and runs about INR 1.85L per year for EX4400 class. Negotiate hard, the published rate has 18-22% headroom.
- STPI bond imports: EX4400 chassis under STPI bond saves 18% IGST for export-oriented BFSI captives. Make sure the chassis serial is logged in the STPI Form A within 7 days of receipt.
Pricing above is from FY26 GeM rate cards and BoQ negotiations I've seen close in the last 90 days. INR figures are rate-card; expect 8-12% discount on tender at scale.
A real-world deployment I did
At a Yes Bank Mahape cage, the SOC engineer raised a P1 because the EX4400 stack showed `xe-0/2/1` flapping every 47 seconds. Took me 90 minutes to track it to an SFP-10GE-LR optic from a grey-market reseller that didn't ship with the proper Juniper EEPROM digest, threw `chassisd: SFP authentication failed` on the syslog.
The lesson stuck. Three things every Junos upgrade runbook in BFSI must have, learnt the hard way:
- md5/sha256 verify before activate. Never trust the mirror. Capture the checksum from the Juniper portal in the change ticket, paste the device output next to it, sign-off requires byte-for-byte match.
- Snapshot the alternate slice. `request system snapshot slice alternate` before you start. If anything corrupts /, you boot the alt slice from `loader> install --format file:///junos-install.tgz`.
- Console + IPMI dual-access. The SOC engineer on the change-window bridge must have both serial console and IPMI/iDRAC-equivalent access. SSH only is the failure mode that wakes you at 03:00 IST.
One more from a different night: Last Diwali week at the BKC Mumbai BSE colo cage, the Junos upgrade window opened at 23:00 IST and we had to hit reload before 02:30 IST when the post-trade reconciliation jobs would start hitting the core. Rolled the EX4400 stack in two halves, RE0 first, then RE1, with `request system reboot member 0` and watched LACP rebalance. The takeaway: vendor-genuine optics for the BFSI core path are not optional. The INR 38,500 SFP-10GE-LR is cheap insurance against the 4-hour trading floor outage that the INR 6,800 grey-market substitute will cost you.
Frequently asked questions, extended
Does this procedure work on the EX4600 or QFX5120?
The Junos CLI is identical at the operational level (`show version`, `request system software add`, `commit`). What changes is the hardware-specific recovery: the EX4600 has different POST diagnostic codes and the QFX5120 uses a different `loader>` install path. Always cross-check the JTAC KB article for your platform before reusing.
Will the change need a JTAC case open before I start?
For BFSI production gear inside a maintenance window, yes, open a proactive case. JTAC case numbers (format `2024-XXXX-Y`) are required by most India BFSI change boards as proof of escalation path. Cost is included in J-Care Care Plus at INR 1.85L per year.
How do I know which Junos release is the right LTS GA right now?
Check the Juniper EoL/EoS matrix at https://support.juniper.net for the EX-family. As of mid-2026, 22.4R3-Sx is the recommended LTS-equivalent for EX4400. 23.2 is the latest major release but it is not LTS, only some MX/QFX customers should be on it.
What is the realistic India lead time for an RMA?
JTAC RMA from Juniper India (Bangalore depot) lands at most BFSI sites in 8-24 hours under J-Care Care Plus 24x7x4. Tier-2 towns add 24 hours. Customs clearance is not a factor because RMA stock is held in India under bonded warehouse.
Can I use a Mist AP43 with a non-Juniper switch upstream?
Yes, the AP43 only needs 802.3at PoE+ and DHCP. I have run them off Cisco Catalyst 9300 and Aruba CX 6300 with no issue. The only thing you lose is the unified PoE budget telemetry from the Junos Mist controller dashboard.
How do I handle a brick during the upgrade?
Console in, hit interrupt at boot, drop to `loader>`. From there, `install --format file:///mfsroot/junos-install-22.4R3-S4.tgz` if you have a recovery image on the internal media. If the internal media is corrupt, USB rescue is next. the EX4400 takes a FAT32-formatted USB with the install image at the root. Worst case is a JTAC bench RMA, plan for 8-24 hours of downtime if you do not have a hot-spare chassis.