You may need to also specify and configure the routing profile as well.
On Distributed L3 mode, The virtual controller acts as both the DHCP server and default gateway.
Corporate traffic (traffic matching routing profile) from clients is routed through the VPN tunnel. All other traffic is src-nat’ed on VC.
ip dhcp l3-dhcp server-type
Distributed,L3 server-vlan 30
ip-range 10.30.0.0 10.30.255.255 dns-server 10.1.1.50,10.1.1.30 domain-name testdomain.com
routing profile config
--------------------------
VPN primary IP is configured. This IP address is the Public IP address of the IAP.
vpn primary <public IP of controller>
Routing profile is defined to tunnel all traffic through IPSec tunnel
routing-profile route 0.0.0.0 0.0.0.0 <public IP of controller>
Let me know if that helps.
Thank you,
Sriram