Disable Proxy ARP on FTD Interfaces Using FlexConfig

Available Languages

Download Options

  • PDF     (258.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (310.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (332.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 16, 2026
Document ID:225755

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Issue

Hosts on an FTD interface are unable to use statically assigned IP addresses and report "duplicate IP address" errors before falling back to 169.254.x.x addresses. Packet capture analysis reveals that when the host sends a gratuitous ARP (ARP probe) for its own IP address, the firewall responds claiming ownership of that IP address, preventing successful static IP assignment.

Environment

  • Cisco Secure Firewall 2120 running FTD software version 7.4.4 (applicable to all versions and models)
  • Cisco Secure Firewall Management Center (FMC) for device management
  • Proxy ARP enabled on FTD by default.

Resolution

The issue is resolved by disabling Proxy ARP on the affected interface using a FlexConfig policy deployed through FMC. This prevents the firewall from responding to ARP probes for IP addresses it does not explicitly own.

1: Navigate to the FlexConfig section in FMC and create a new FlexConfig policy to disable Proxy ARP on the specific interface. The Sysopt_noproxyarp and the negating Sysopt_noproxyarp_negate are default objects in the FMC and can be cloned for custom use. 

Navigate to FlexConfiginline_image_0.png

 2: Add the configuration command to the FlexConfig policy sysopt noproxyarp IFNAME:

Add Configuration Command to FlexConfig Policyinline_image_1.png

Replace IFNAME with the actual name of your affected interface.

3: Associate the new object to the FlexConfig policy of the FTD and deploy it through FMC. The configuration is applied to disable Proxy ARP behavior on the specified interface.

Associate New Object to the FlexConfig Policyinline_image_2.png

4: After deployment, test the static IP assignment on the affected host. The firewall must no longer be able to respond to ARP probes for unassigned IP addresses, allowing hosts to successfully use their static IP configurations without duplicate IP address errors.

When applicable, consider disabling Proxy ARP at the NAT rule level rather than interface-wide to minimize unintended impact on other network functions. This provides more granular control over Proxy ARP behavior.

Cause

Proxy Address Resolution Protocol (Proxy ARP) was enabled on the FTD interface, causing the firewall to respond to ARP probes for IP addresses it did not explicitly own. This behavior resulted in hosts detecting a duplicate IP address condition during static address assignment. The firewall Proxy ARP functionality was responding with its own MAC address when hosts performed gratuitous ARP requests, making it appear as though the desired IP address was already in use by another device.

Related Content

Revision History

Revision Publish Date Comments
1.0
17-Apr-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Echo Quiroz-Garcia
    Technical Consulting Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products