I managed to bring up a fully functional WLAN guest access including WebAuth, a foreign WLC serving the APs, an anchor WLC in a DMZ behind a FW, considered all the details described in GAccess_41.pdf (hopefully). The deployment even survived the migration from 4.2.61 to 5.0.148, done on both controllers, of course - short: it worked.
I came down to earth as one of the FW boxes of the FW-cluster in between the foreign and the anchor failed and the secondary FW box didn't take over instantly. The connection between foreign and anchor was down for around 5 minutes. After that, my problem began:
The foreign controller showed data connection and control connection to anchor controller up. Anchor controller showed both connections to itself up. Ping, mping and eping worked in both directions.
But for all that the foreign controller did not export the client information to the anchor any longer.
A client associated to the guest WLAN kept on staying in the Mobility State "local" on the foreign WLC (I would have expected "Export Foreign" here?).
I was not able to get the controllers talking to each other again by now - even a simultaneous reboot of both WLCs did not help.
Browsing the forum I found a post mentioning a bug that can be worked around by using the same mobility group for both, foreign and anchor WLC - unfortunately no more details.
Could this help here, too? Or is there an other way to bring up the broken communication again?