The network policy is the same as this picture : https://d2r1vs3d9006ap.cloudfront.net/s3_images/1113752/RackMultipart20141028-27616-11412ci-ScreenShot2014-10-28at1.24.35PM.png
Any iPhone or Android get ip from dhcp (192.168.77.x > vlan 77) but can't access internet.
what should we check ? Thank you for assistance.
That's the IP Firewall Policy, not the Network Policy. You need to also provide a screenshot of the user profile that you are using with the Firewalls setting expanded to help see what is going on.
Also, are you sure your network is properly configured so that subnet can access the Internet? An easy way to check your config to see if it should work is to remove the IP firewall policy from the user profile and see if they can then access the Internet. If they can, you know the network is setup correctly. Then it's back to making sure you applied the firewall policy correctly.
AP logs are showing errors like this :
2015-11-04 18:35:30 info kernel: [fe]: IP session (id 140) 192.168.77.10/60369 -> 18.104.22.168/53, proto 17 is invalidated, reason ageout, lifetime 1 min 6 sec, user-name N/A
Check that DHCP is completing successfully and is supplying the right information to clients, that is that you're seeing an expected IP address, subnet mask, default gateway and DNS server(s).
Can you ping the IP address of the default gateway?
I can ping the ip of the interface mgt0.1 (192.168.77.1) but not the defined gateway on dhcp options (192.168.77.254)
The management address of the AP should be in a different, isolated VLAN to your guest traffic.
I suggest that you take a step back and look at your VLAN and subnet design and make sure it makes sense before you go further.
The two AP121 have manual ip address from our internal network (each one has own management ip on mgt0 interface) and dhcp server is set on mgt0.1 interface
VLAN 88 has been set on our internal network. Internet access is ok !
The VLAN Probe test is showing that the new vlan is available.
And show arp shows :
Internet 192.168.99.1 0 Incomplete ARPA (and interface detail has non vlan)
(192.168.99.1 is the ip address of the mgt0.2 interface of new dhcp server)
For example on the working vlan :
Internet 192.168.77.1 21 e01c.41bc.2040 ARPA Vlan77