its FlexConnect, 

the same configuration for the remote and the main site,
in the old WC it's work correctly but in the new I don't know how to align the config to work as well on remote site (because it's work in the main site) 

> its FlexConnect, 
You didn't answer the crucial question though: is the SSID centrally switched or local switched?

If it's centrally switched where is the DHCP relay being done - on the central switch/router or on the WLC? (which will then require an SVI to be configured on the WLC (not recommended by Cisco as per the Best Practice guidelines below).

Have a good read through the Best Practice guide for a start.  Note that AireOS actually does a kind of hybrid proxy/relay of DHCP (not true DHCP relay) while 9800 does standards compliant DHCP relay (same as helper address on IOS router).

hello, 

thank you for your response, 

yes i Centrally Switched SSID, in old WLC yes we're using the DHCP proxy option,

I'll have good read on the best practice of the 9800 to check the best option and the best way to configure the DHCP for guest user 

If it is centrally switched then the local and remote users should have exactly the same behaviour since they will all be tunnelled to the WLC over CAPWAP, so that doesn't really make sense, or are they using different WLANs with different config?  We probably need to see how you've configured your 9800 to see what you've done wrong.

thank you for your response, 
my issue is different, the users on the remote site can't get a DHCP IP when connect to guest network (of course with the new 9800) 

  - Engage into full client debugging according to : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213949-wireless-debugging-and-log-collection-on.html#toc-hId-1012496422
   You can have client debugs (so called RadioActive Traces) analyzee with : https://cway.cisco.com/wireless-debug-analyzer/

      M.

thank you for your response, 

the only thing I get about DHCP server is just this, and It's done in this side too 

 -  Ok  ,take advices from : https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#DHCPbridgingandDHCPrelay
                     and or make corrections ,if needed, 

 M.

Did you read my reply below?

Hello Rich,

Sorry I read your response and Sorry I think I response but probably I forget to submit, 

Frankly there is a huge difference between AirOs and IOS-XE, and I follow your suggestion and I configure the Interface (used for guest) and I follow the recommandation, but still in the same troubele, 
here is the command for show run interface : 

98001wlc1-9800#show run interface Vla990
Building configuration...

Current configuration : 219 bytes
!
interface Vlan990
 description Internet
 ip dhcp relay information trusted
 ip dhcp relay source-interface Vlan990
 ip address 192.17.0.4 255.255.224.0
 ip helper-address 192.17.0.1
 no mop enabled
 no mop sysid
end

as I said in the first post, from main network it's work properly but the problem happen when guest user try to connect from distant site (VPN or MPLS Site ) 

so I try with ping and found that the DHCP server can't ping the Controller, like the DHCP server don't know the route where send it, and same when send packet (DHCP discover from controller to server, but no response from server like the DHCP offer don't know where to go and how to reach the controller) 

as you said we're talking about route back 

here is an example of my design to understand the situation clearly : 
the WLC is in the same lavel with DHCP server, both run in Vmware they are connected to Core Switch and the Firewall is gateway for the network 990 (VLAN990 is the vlan for guest) 

I'm trying to make some changement and many update but alway same result, guest user in main site ok, distant site (can't obtain IP) 

Hi @Nenday 

So let's clarify a few things:
- Is the WLAN centrally switched?
- Are you using the same WLAN and client interface for the local and remote sites?
- What does the config for the WLAN and policy profile look like?
- Is VLAN 990 the client interface?  If so you don't need DHCP relay at all because the DHCP server is in the same subnet as the client and WLC (WLC interface 192.17.0.4 255.255.224.0 and DHCP server 192.17.0.1).  In fact you don't even need the SVI, you should be using layer 2 with no SVI.  You only need to use DHCP relay when your DHCP server is not on the local subnet (same broadcast domain as client).
- Since you're obviously using 9800-CL on VMWARE. Have you configured ESX as per the installation guide and best practices guide - forged transmits and promiscuous mode enabled?  It will not work correctly without that.