The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
Interface vlan 11 – 10.9.65.1
Interface vlan 12 – 10.9.66.1
Interface vlan 13 – 10.9.67.1
wgh-anchorwlc5760-primary#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.8.252.1 YES NVRAM up up
Vlan11 10.9.65.1 YES manual up up
Vlan12 10.9.66.1 YES manual up up
Vlan13 10.9.67.1 YES manual up up
GigabitEthernet0/0 10.8.252.85 YES NVRAM down down
Te1/0/1 unassigned YES unset up up
Te1/0/2 10.8.253.1 YES NVRAM up up
Capwap0 unassigned YES unset up up
If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
My question is: Why clients are not able to ping their default gateway?
I hope it makes sense.
I appreciate any thoughts and help. Thanks in advance.
The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.