Thanks Marce. There were no errors and only 4 or 5 warnings. 2 of them were incorrect as it thinks that it is looking at AireOS (based on proposed commands to fix them) and indicated NTP server missing and HA wireless mobility mac address not configured, while both are correctly configured and NTP associations show synced to public NTP server. Another one was on SI and ARP proxy recommendations. Anyway, no errors were found, and I did not expect them as everything is working fine, but just this bit lower speed on flex SSIDs. 

Hi Rich, the TCP MSS under AP join profile is at default 1250 (used to be default 1363 or something a while ago on AireOS and then it was reduced to 1250 to fix some issues with Intel drivers). So there should be no question in local or CAPWAP tunneled traffic to result into fragmentation and reassembly. I have checked everything else and there is no reason for lower speeds at locally switched SSID, unless as I think it has to do with some extra overhead for AP to incur to tag / untag the traffic. I wont be onsite for couple of days and then see if we can do a packet capture to compare for two scenarios. 

Thanks for your advice. Let me know meanwhile if anything else should be looked into.

So I still think it could be MSS.  The older AireOS docs (up to 8.4) say "TCP Adjust MSS is supported only on APs that are in local mode or FlexConnect with centrally switched WLANs".  This has been removed from docs since 8.5 and the 9800 docs refer to routers (!!!) but even the later AireOS docs talk about it applying to client traffic through the CAPWAP tunnel so I don't think it is applied to flex local switched traffic.  So I think it's up to you to apply TCP MSS adjust on your locally switched gateway router.  Have you tried that with the same value (1250) as the centrally switched traffic?

Hi Richard, this is interesting point researched by you. Even if I were to apply the command ip tcp adjust-mss 1250 under gateway (which will be core switch SVI), this will then equally apply to any wired or wireless traffic. While this adjusts end to end traffic to use lower mss for tcp traffic from client, this will potentially lower overall the achieved speeds with more overhead at least for wired connections, and my understanding is that higher speed consuming traffic will generally be 4K video, which will be TCP (as YouTube uses TCP) and also speedtest.net uses TCP.  Other services might use TCP as well for streaming. Another thing is with MSS to be 1250, the segments larger than this will be dropped if some NIC drivers fail to adjust MSS down to 1250. I will need to test it during maintenance windows when we will install, I would like to hear more if there could be side effects if applied globally to the SVI on core switch. I have never used TCP MSS adjust anywhere lower than 1360 in the past. Thanks again.

Valid concern as it will affect all traffic but it could also improve performance for all traffic.  MSS is a soft feature at layer 4 - it' not "enforced" anywhere.  It's just a convenient way of telling the endpoints to use an optimal value to avoid fragmentation. If anything ignores it (I've never seen that happen) it won't make any difference - it would just be as if you hadn't adjusted MSS at all.  They won't get dropped - they'll be fragmented - just like they are today which ultimately reduces performance.

Also 1250 is what works best for CAPWAP + other overheads for AP<->WLC transit but you could probably set it higher for the local traffic.  This is where you need packet captures to see what's actually happening.  You could experiment with different values.

Thanks Arshad. We had already ruled out any bottlenecks on underlying wired network last week with iperf tests from clients wireless vlan to server vlan and we were easily getting 900Mbps up and down on two test devices, Both test devices are very new with latest updates and drivers. Regardless, how can then you explain getting 750 to 810Mbps even with speedtest thru same test client thru same AP but on two different SSIDs, consistently. And RF environment if had any bearning here, will not make one SSID 200Meg faster. And this late afternoon, we did a remote session with TAC engineer who spent an hour and ruled out any configuration or RF issues and he is going to discuss internally and leaning towards same conclusion that I had, that it could be capability of 9115 to handle tagged traffic. With CAPWAP tunnel for centralized SSID, tunnel is pre-established, while for local switched traffic, AP needs to tag . untag on each frame basis. 

Hi Scott, thanks for your inputs as well. I believe, I have answered most of these questions in my response above. And I fully agree to not use 80MHZ width and we were not going to, as 40MHz will be more than enough and we don't want a single client to monopolize too much of Internet pipe anyway. The reason we were doing this in our test environment was to test the limits of the new gear. We were going to slide the max bandwidth from 80 to 40MHz while keeping best as option for channel width. 

That doesn't sound right - you should open a TAC case to get them to help you diagnose the issue.

of course, that was done several days ago, and they could not figure it out.