I got to the bottom of this. I had 'prohibit arp spoofing' -> firewall prohibit-arp-spoofing enabled. I'll explain.
Because this is in a lab my gateway is 172.30.59.1 which is the uplink that was provided to me that interfaces with the lab's pfSense firewall. When running 6.3, I don't have any issues. When upgrading to 6.4, this AOS firewall rule causes a problem where I lose access to my controller.
With that firewall rule enabled, I was not able to ping my gateway and it would not show up in 'show arp' on the controller.
Removing that firewall rule, I was then able to ping the IP from another station and the arp entry showed up on the controller.
It seems as though because the 172.30.59.1 interface is assigned to a "generated" MAC address (when creating new interfaces on pfSense, it assigns a random MAC address), the arp spoofing does not allow the controller to create an ARP entry for my gateway.
Removing the firewall rule and rebooting the controller seems to make it work.
EDIT: the MAC's generated were part of RFC 7042 and are designated as unicast because they started with 00:00:5E:00:00:00 to 00:00:5E:FF:FF:FF
EDIT: it seems as though the address assigned was part of VRRP??