I encountered this issue recently when installed a new ASAv into my topology. Unexpectedly, some Windows machines and VMs started getting 169.x.x.x APIPA address although they had a static IP configured.
This was caused by the NAT on my ASA interfering with proxy-arp and causing IP conflicts. By default, Cisco firewalls will proxy ARP for NAT entries.
- (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting.
- (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired.
The solution was to add “no-proxy-arp” to the end of the NAT syntax:
nat (inside,outside) source static Inside-network Inside-network destination static NETWORK_OBJ_10.254.254.0 NETWORK_OBJ_10.254.254.0 no-proxy-arp