Fortigate managed FortiAP with tunnelled SSID fails connection if given VLAN
I'm managing a single FortiAP 320C from a FortiGate 300D. Both v5.4.1.
The AP management communication is over a vlan (wifi-comm.v). The switch interface the FAP is on tags any untagged frames as being in the wifi-comm.v vlan. The management works fine.
The FAP has a couple bridged SSIDs, with their own vlans. The switch interface the FAP is on allows those vlans, tagged only. This all works fine.
I've added a couple tunnelled SSIDs, with DHCP and with the SSID interface IP being the IP used for DNS and NTP. This works just fine if I don't specify a vlan for the SSID.
However, if I specify a vlan for the tunnelled SSID, clients can make the initial connection to the FortiAP, but they and I never see any communication with the FortiGate, no DHCP, no ping, etc. I see no log entries at all on the FortiGate side when this happens.
I thought perhaps the tunnel was being built using the SSID vlan (not that that makes sense) so I tried setting the switch to allow ssid-tun.v vlan tagged packets at the FAP switch port and at a firewall port. No change in the results.
So, I'm confused here. I thought the tunnel from the FAP meant that an SSID with a VLAN should just show up on the FortiGate in a similar manner to a normal vlan interface.
I've watched this with diag wireless-controller wlac sta_filter Client-MAC 2. The output when using a non-zero vlan looks pretty similar to the output when vlan is 0. However, there is never any DHCP ACK after the "pairwise key handshake completed."
Is anyone else using vlans in tunnelled SSIDs? Any advice would be welcome.