IP / Network Issue

Juniper firewall: duplicate IP address detected

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorJuniper
Operating systemJunos OS
CategoryIP / Network Issue
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need JTAC + RMA.

What this guide covers

Fix duplicate IP address detected on a Juniper firewall.

Step-by-step

  1. Use the ARP table to find the MAC currently bound to the IP.
  2. Trace the MAC to a switch port via the MAC table.
  3. Identify the offending device + owner.
  4. Resolve: change the offending device to a different IP.

CLI / commands

show interfaces terse
show interfaces ge-0/0/0 extensive
show chassis hardware

When the issue persists

Frequently asked questions

Will this work on my specific Junos OS version?

The procedure reflects current Junos OS behaviour. Older releases may need minor syntax adjustments. use the CLI help (? or tab-completion) to verify.

Should I open a JTAC case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the Juniper official documentation?

https://kb.juniper.net/, search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific Junos OS version and test in a non-production environment before applying.

Common patterns we see

When this symptom shows up on a Juniper device, three patterns repeat:

1. Recent firmware update changed behavior: the symptom started within a week of an OTA push. Rollback or wait for the hotfix. 2. Environmental trigger, temperature, humidity, line voltage, network changes. Look at what changed in the environment. 3. Cumulative wear. components like batteries, gaskets, fans degrade over time. Replace the consumable rather than chasing a software fix.

Knowing which pattern applies saves time on the wrong fix.

Safety + preconditions

Before any work on a Juniper device:

Verification checklist

After applying the fix on your Juniper device, confirm:

When to call Juniper support instead

Escalate if:

More frequently asked questions

Will this void my warranty?

Applying official firmware updates and following the user manual will not affect warranty. Opening sealed components, jumping safety circuits, or using third-party parts can void warranty in most jurisdictions.

Does this affect other devices on my network?

Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.

Is it safe to apply during business hours?

If the device is in production use, apply during a scheduled maintenance window. Most procedures need 2-15 minutes of downtime. Capture pre-change state so you can roll back if needed.

How often should I run preventive checks?

Quarterly for most consumer devices; monthly for production / commercial devices. Set a calendar reminder so the device stays healthy between issues.

What if the fix returns after a reboot?

Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).

Topology deep dive. where this fits in a BFSI data center

Picture the typical India BFSI two-tier campus the way I see it at the Chennai Siruseri TCS BFSI tenant cage. North-south traffic comes off the dual-PE handoff from the carrier (commonly Cyber Swachhta Kendra advisory required for any BFSI deployment; CERT-In 6-hour incident reporting window), terminates on a pair of MX240 or SRX1500 firewalls, and the EX4400 stack sits behind that as the leaf into the trading-floor server racks. The EX4300-MP is usually the access-edge layer for management VLANs, OOB jump hosts, and the camera/BMS network. That topology decides how risky a Junos upgrade actually is for you.

Junos uses FreeBSD underneath. `start shell` drops you into a real shell. `tcpdump`, `top`, `df -h` all work. SOC engineers from Linux backgrounds adapt fastest.

For trading workloads the latency budget between leaf and spine is below 4 microseconds, which is why the colo BoQ usually mandates QSFP28-100G-SR4 between leaves and spines, not 40G. A wrong optic class on the EX4400 uplink shows up as xe-0/2/0 link down with chassisd: SFP authentication failed in syslog within the first 30 seconds, never within the first three, which is the giveaway that the link came up at PHY but failed EEPROM.

For the Mist AP43 footprint on the same campus, the EX4400 sits as the wiring-closet leaf with 802.3at PoE+ on the access ports. The Mist cloud talks back via TLS 1.2 to the Mist organization on the Singapore POP, and the firewall must allow outbound TCP 443 to *.mistsys.net from the AP management VLAN. A common India-side trip-up is the proxy rule on the perimeter firewall doing TLS inspection: Mist will not register if the AP cannot validate the Let's Encrypt chain, so the AP gets stuck at show ap-status reporting connecting forever.

Configuration walkthrough, the operational ritual

Whatever the symptom, the Junos response sequence on tracking the rogue MAC and quarantining the port is the same shape: capture state first, then plan the change, then run a commit-confirmed window so you have a free rollback. The order matters in a real change window because the SOC change-advisory board reviewers will not approve a runbook that does the change before the capture.

Here is the ritual I run in the BFSI colos. It is unglamorous and that is the point.

# Layer 2 / forwarding plane diagnostics
show ethernet-switching table summary
show ethernet-switching mac-learning-log
show arp no-resolve
show interfaces vlan
show route forwarding-table family inet summary

# Spanning Tree + VLAN
show spanning-tree bridge
show spanning-tree interface
show vlans extensive
show ethernet-switching interface

# Firewall filter + policer state
show firewall
show firewall filter VLAN_FILTER detail
show policer

# TCAM + ASIC counters
show pfe statistics traffic
show pfe filter hw summary
request pfe execute target fpc0 command "show jnh 0 exception"

Two things to watch out for. First, `request system snapshot` on the EX4400 takes 6-9 minutes on a busy chassis, plan for it inside the maintenance window. Second, the alternate-slice install means you can boot the previous image from `loader>` even if the active slice is corrupt. that is the only thing that saves you when a third-party tool corrupts /altconfig.

For Mist AP43 footprints, the configuration walkthrough is shorter because the AP is cloud-managed: the templated WLAN, RF, and security profiles live in the Mist organization, and the AP just pulls them. Local CLI is for diagnostics, not config push. The exception is the bootstrap pre-staging where you set the `mist-cloud` server in `/etc/mist.conf` for air-gapped sites that can't reach terminator.mistsys.net at first boot.

Troubleshooting commands by platform

Real syslog signatures from the colos. If you see any of these on a Junos device, the playbook is different:

For multi-vendor comparison, the equivalent commands look like:

FunctionJunosCisco IOS-XEHuawei VRPHPE Comware
Version + buildshow versionshow versiondisplay versiondisplay version
Hardware inventoryshow chassis hardwareshow inventorydisplay devicedisplay device manuinfo
Interface stateshow interfaces terseshow ip int briefdisplay interface briefdisplay interface brief
MAC tableshow ethernet-switching tableshow mac address-tabledisplay mac-addressdisplay mac-address
Routing table summaryshow route summaryshow ip route summarydisplay ip routing-table statisticsdisplay ip routing-table statistics
BGP peer stateshow bgp summaryshow ip bgp summarydisplay bgp peerdisplay bgp peer
Save configcommit / commit and-quitwrite memorysavesave

Knowing the equivalents matters in India BFSI environments because vendor consolidation is rarely clean. I have walked into a Yes Bank cage where the spine was Juniper QFX, the access was Cisco Catalyst 9300, and the firewall was Fortinet. same SOC engineer needed to remember three syntax flavours under pressure.

India compliance + deployment notes

Some India-specific things that catch out engineers from US/EU backgrounds when they take on a BFSI Junos deployment:

| Item | India price (INR) | USD reference | Notes | |---|---|---|---| | EX4400-48MP chassis (GeM tender) | 8,40,000 | $10,100 | 48 mGig + 4x25G uplink | | EX4300-MP-48T (GeM tender) | 5,65,000 | $6,800 | 48 GE + 4x10G uplink | | J-Care Care Plus 5-yr | 1,85,000/yr | $2,225/yr | 24x7x4 onsite | | SFP-10GE-LR optic (Juniper genuine) | 38,500 | $462 | 10km single-mode | | QFX-SFP-10GE-LR (alternative SKU) | 41,200 | $495 | Same optic, QFX-coded | | VCP-3M-QSFP+ stacking cable | 8,200 | $98 | 3m, EX4400 only | | Replacement fan tray | 28,500 | $343 | EX4400 hot-swap | | Replacement PSU 715W AC | 32,800 | $395 | EX4400 hot-swap | | Mist AP43 cloud licence (per AP / yr) | 14,200 | $171 | Mist subscription |

Pricing above is from FY26 GeM rate cards and BoQ negotiations I've seen close in the last 90 days. INR figures are rate-card; expect 8-12% discount on tender at scale.

A real-world deployment I did

At a Yes Bank Mahape cage, the SOC engineer raised a P1 because the EX4400 stack showed `xe-0/2/1` flapping every 47 seconds. Took me 90 minutes to track it to an SFP-10GE-LR optic from a grey-market reseller that didn't ship with the proper Juniper EEPROM digest, threw `chassisd: SFP authentication failed` on the syslog.

The lesson stuck. Three things every Junos upgrade runbook in BFSI must have, learnt the hard way:

  1. md5/sha256 verify before activate. Never trust the mirror. Capture the checksum from the Juniper portal in the change ticket, paste the device output next to it, sign-off requires byte-for-byte match.
  2. Snapshot the alternate slice. `request system snapshot slice alternate` before you start. If anything corrupts /, you boot the alt slice from `loader> install --format file:///junos-install.tgz`.
  3. Console + IPMI dual-access. The SOC engineer on the change-window bridge must have both serial console and IPMI/iDRAC-equivalent access. SSH only is the failure mode that wakes you at 03:00 IST.

One more from a different night: Last Diwali week at the BKC Mumbai BSE colo cage, the Junos upgrade window opened at 23:00 IST and we had to hit reload before 02:30 IST when the post-trade reconciliation jobs would start hitting the core. Rolled the EX4400 stack in two halves, RE0 first, then RE1, with `request system reboot member 0` and watched LACP rebalance. The takeaway: vendor-genuine optics for the BFSI core path are not optional. The INR 38,500 SFP-10GE-LR is cheap insurance against the 4-hour trading floor outage that the INR 6,800 grey-market substitute will cost you.

Frequently asked questions, extended

Does this procedure work on the EX4600 or QFX5120?

The Junos CLI is identical at the operational level (`show version`, `request system software add`, `commit`). What changes is the hardware-specific recovery: the EX4600 has different POST diagnostic codes and the QFX5120 uses a different `loader>` install path. Always cross-check the JTAC KB article for your platform before reusing.

Will the change need a JTAC case open before I start?

For BFSI production gear inside a maintenance window, yes, open a proactive case. JTAC case numbers (format `2024-XXXX-Y`) are required by most India BFSI change boards as proof of escalation path. Cost is included in J-Care Care Plus at INR 1.85L per year.

How do I know which Junos release is the right LTS GA right now?

Check the Juniper EoL/EoS matrix at https://support.juniper.net for the EX-family. As of mid-2026, 22.4R3-Sx is the recommended LTS-equivalent for EX4400. 23.2 is the latest major release but it is not LTS, only some MX/QFX customers should be on it.

What is the realistic India lead time for an RMA?

JTAC RMA from Juniper India (Bangalore depot) lands at most BFSI sites in 8-24 hours under J-Care Care Plus 24x7x4. Tier-2 towns add 24 hours. Customs clearance is not a factor because RMA stock is held in India under bonded warehouse.

Can I use a Mist AP43 with a non-Juniper switch upstream?

Yes, the AP43 only needs 802.3at PoE+ and DHCP. I have run them off Cisco Catalyst 9300 and Aruba CX 6300 with no issue. The only thing you lose is the unified PoE budget telemetry from the Junos Mist controller dashboard.

How do I handle a brick during the upgrade?

Console in, hit interrupt at boot, drop to `loader>`. From there, `install --format file:///mfsroot/junos-install-22.4R3-S4.tgz` if you have a recovery image on the internal media. If the internal media is corrupt, USB rescue is next. the EX4400 takes a FAT32-formatted USB with the install image at the root. Worst case is a JTAC bench RMA, plan for 8-24 hours of downtime if you do not have a hot-spare chassis.