WLC 188.8.131.52 on 2911 ISR G2
This router is placed on an external datacenter and connected to remote site (where are the APs) by a provider VPN. No nat, routing is OK.
WLC (on 2911) == local router at remote site == local APs
Local AP :
Flex connect mode
This setup is fully fonctionnal with "classic" WLAN (WPA WLAN for example).
We want to setup, guest WLAN with local switching (Flex connect local switching mode + local DHCP + central auth by internal WLC Web auth, local user). Simple setup.
WLC has only two interface:
The virtual int interface has 192.0.2.1 ip and there is no route to this IP.
Management Interface is routed and available from remote site.
AP at remote site is connected to WLC. We are able to deploy WLAN to it.
We create a WLAN no layer 2 security and layer 3 web policy + authentication + flex connect local switching + local DHCP (local server at remote site)..
This guest Wlan is successfully deployed to the AP at remote location.
We connect to the WLAN at remote location, are redirected to https://192.0.2.1/login.html?redirect=www.google.fr/ has it should for example and .... nothing.
Local packet capture show syn packet but no response from there.
Client is on WEBAUTH_REQD on WLC.
Debug on WLC used :
debug client MAC
debug pm ssh-tcp enable
debug pm ssh-appgw enable
debug pm rules enable
debug pm config enable
show client detail MAC
debug pem event enable
debug pem state enable
Troubleshooting debug used at WLC show no https request. It seems that it never make it to the WLC.
Following debug strategy of cisco doc we have no sshpmAddWebRedirectRules logs for example. Trying to reach login page produce no logs.
Last logs is
How client guest PC is able to reach this Virtual interface ? CAPWAP encap by the AP to the WLC management IP ?
No route is needed to this Virtual IP on this kind of setup ?
Thanks in advance for your time.