Controllerless Networks

I've setup AP profile for split tunneling and it's showing with Invalid (I) Flag on Controller, see config below. When I change forward-mode to 'tunnel' all is fine (except split tunneling doesnt work lol;) Please advice

wlan virtual-ap "Aruba-CP-Radius-vap_prof2"
aaa-profile "Aruba-CP-Radius-aaa_prof2"
ssid-profile "Aruba-CP-Radius-ssid_prof2"
vlan 176
forward-mode split-tunnel

aaa profile "Aruba-CP-Radius-aaa_prof2"
authentication-dot1x "CFN-Main-dot1x"
dot1x-default-role "split-usr"
dot1x-server-group "CFN-RADIUS-server-grp"

user-role split-usr
access-list session split-acl

ip access-list session split-acl
any any svc-dhcp permit
any alias Net_10.29.0.0-16 any permit
user any any src-nat

Do you AP configured as RAP or CAP ? Does your AP connected from remote-site/other network ?
if it working as CAP , Split tunneling isnt possible

Split-tunnel is only possible if the AP is configured as a RAP.

Tunnel, bridge and decrypt-tunnel are available when operating as a campus AP.

Yes, it's CAP...so does it mean I have to change to RAP and then set IKE PSK ? Does RAP connect to controller public IP or  private IP (in my case it's IPsec tunnel from my home remote network to DC firewall - so AP to Controller communication is thru IPsec). I'm not sure what decrypt-tunnel is for

vlan 176 (id 176) is on controller side 

(Aruba-7210) #show vlan 176

VLAN CONFIGURATION
------------------
VLAN Description Ports AAA Profile
---- ----------- ----- -----------
176 VLAN0176 GE0/0/0 N/A

Is that a name VLAN ?