Regarding prior use of VLAN 300: here the feedback differs whom you'll ask. Manager says that it worked fine before the migration, some users say that it didn't work back then as well. As the VLAN 300 to VLAN 30 migration was at my job start I can't comment much how well it was working before the migration.

Meanwhile I have an estimate from our Account Manager and let me state it this way: having me walking around the house twice a week for 30 mins each to reset the APs is more expensive than ordering a virtual controller.

But until then I still have to deal with the APs and unresponsive admin of the controller... *sigh*

There is enough space in the pool. We have like 40 APs and the pool is configured to use the whole /24...

VLAN 30 was created after VLAN 300, but then again: out of 38 APs in that VLAN 30, as of now 29 APs are actually working. 9 APs do not.

> There is enough space in the pool. We have like 40 APs and the pool is configured to use the whole /24...
Well it depends what DHCP server you are using ...  There is a well known issue with Microsoft DHCP server that the APs will cause the server to mark addresses as "bad" and then the server runs out of usable IPs even though there should be plenty free. Cisco provided a fix for it on AireOS but have decided not to fix it on 9800.  See the details at:
https://bst.cisco.com/bugsearch/bug/CSCvj14517
Although this is only known to happen with MS DHCP server it's possible that it could affect other products too.
So rather than assuming the addresses have not run out you should make sure <wink>

Hi Rich!

Well, 2 of the 4 IPs are not valid and are actively blocked in our firewall. According to the admin of the controller, these are IPs for another site location of theirs and not reachable from out network, but he can't get some configured out for us. I can only accept this as a given fact.

According the IPS/IDS idea: yeah, we had this idea as well. Or more exactly the idea that something is blocking or discarding packets, because the APs are behind NAT and something like WLC or another external Firewall is blocking or rate limiting our connections. But regarding our IDS/IPS: neither the IPs nor the ports can be found in the IDS logs...

In the meanwhile the WLC admin wrote an email today that he yesterday updated the second controller to a current version. The controllers were first on an older version that rejected the 9176 APs and later one controller got updated and now the second one as well.
We'll see if this update brings improvements...

"he can't get some configured out for us." = doesn't know how to or is too lazy!
But doesn't matter - the AP will always try all the WLCs it knows about so as long as it has valid addresses that's ok.

Definitely best to have all the WLCs on the right code version!

Can't really tell, but one of the controller has a firmware on that supports the 9176 APs, the other has an older version that gets rejected by the APs then.