Client has two locations, VPN between both locations.
One AP is on the 192.168.1.x subnet, one AP is on the 192.168.10.x subnet.
Issue is with the 192.168.10 AP. Laptops and mobile devices connect fine and are able to access the internal network. Laptops are also able to access the internet without restriction, meaning they behave in the way you would expect devices would on a typical wireless network.
Mobile devices (iOS and Android) can access the internal network just fine but cannot access the internet. There is no ACL, no subnet restriction (they're not connecting through guest access anyway), no web filtering, etc.
Mobile devices connect and have internal and internet access from the 192.168.1 AP, and work as you would expect. Both APs are in the same group, same WLAN, no VLANs or other custom settings.
DHCP is from the network, not the ZD, and there's no problem with obtaining IP addresses and the scope options (DNS servers, etc.).
Odder still, you can ping out from a 192.168.10 mobile device to the internet but cannot access HTTP, etc. (routing = okay). I would assume there might be a restriction somewhere in a network not allowing internet access, but that's not the case. Laptops have no issue.
Rebooting of the ZD, mobile devices, APs has no effect.
Does anyone know of a specific issue with mobile devices that might cause this behavior?
This sounds like maybe an MTU/Fragmentation (or rather Do Not Fragment) issue. The fact a VPN is involved lends credence. Web servers try to use the biggest packet possible and they generally set DNF (Do Not Fragment) bit (instead they expect to negotiate MTU via ICMP PMTU discovery).
So, it's likely something in your network is preventing PMTU from reaching the source web servers. They are sending too-large packets which are getting dropped at the tunnel.
VLANs should be fine since the laptops don’t have an issue and operate normally. It has to be the mobile devices. Is there something specific to iOS and Android devices where this would come into play?