Agreed but you still ideally need to confirm the following as this is what we know so far
- Your show datapath session on the IAP does not show any UDP500/UDP4500 traffic from the clinet.
- We do not know if your firewall logs show any UDP500/UDP4500 traffic from the client.
- The below statement does not confirm if the firewall allows UDP500/UDP4500 traffic.
"As all wireless clients can use HTTP/HTTPS the FW rules should be ok basically"
I have replicated the same in my lab. My IAP Rules allow UDP500/UDP4500, my FW rules allow UDP500/UDP4500 my firewall src-nat's the traffic behind the public IP and all works without issues :)