cisco WLC 2504 second interface DHCP issue

I am having some issue getting an IP address on the public interface I created on the WLC 2504.
it works fine on the management ssid

here is the setup:

asa 5505 unlimited license (not the security plus) 10.12.20.1
Vlan 1 : 10.12.20.0
Vlan 3: 10.12.30.0 is the dmz on the asa

DHCP is done for both Vlans on the asa

WLC 2504

interfaces
management: untagged 10.12.20.4
GW: 10.12.20.1
DHCP: 10.12.20.1


Public: Tagged 3
10.12.30.4
GW: 10.12.30.1
DHCP 10.12.30.1

switch cisco SG 300

port 1 goes to the asa management port: access mode untagged vlan1
port 2 goes to the asa Public port: access mode untagged vlan 3
port 3 goes to the AP: access mode untagged vlan1

if I connect to private then I get an IP 10.12.20.x
if I connect to public then I can't get an IP at all

I am wondering if it is related to the asa and the fact that it is a basic DMZ with no forwarding in it

here is some more config
interface detailed public

Interface Name................................... public
MAC Address...................................... d4:8c:b5:c2:af:84
IP Address....................................... 10.12.30.4
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.12.30.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 3         
Quarantine-vlan.................................. 0
Active Physical Port............................. 1         
Primary Physical Port............................ 1         
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.12.30.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

show interface detailed management 

Interface Name................................... management
MAC Address...................................... d4:8c:b5:c2:af:80
IP Address....................................... 10.12.20.4
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.12.20.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged  
Quarantine-vlan.................................. 0
Active Physical Port............................. 1         
Primary Physical Port............................ 1         
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.12.20.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled

Select allOpen in new window

interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.12.20.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan3
 no forward interface Vlan1
 nameif Public
 security-level 50
 ip address 10.12.30.1 255.255.255.0 
!
ftp mode passive
access-list VPNJackling_splitTunnelAcl standard permit 10.12.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.12.20.0 255.255.255.0 10.12.20.248 255.255.255.248 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Public 1500
ip local pool vpnpool 10.12.20.250-10.12.20.253
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Public) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.12.20.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400
telnet 10.12.20.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 10.12.20.10-10.12.20.249 inside
dhcpd enable inside
!
dhcpd address 10.12.30.2-10.12.30.250 Public
dhcpd enable Public

Select allOpen in new window

vlan database
vlan 3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 10.12.20.3 255.255.255.0
exit
ip dhcp relay address 10.12.20.1
ip dhcp relay enable
ip dhcp information option
interface vlan 1
ip dhcp relay enable
exit
interface vlan 1
no ip address dhcp
exit                                                  
hostname Attic
management access-list allaccess
permit
exit
management access-class allaccess
username cisco password encrypted 517a73ede349fd3b60756b902669db92f2d3ef70 privilege 15
ip ssh server
no snmp-server server
snmp-server location Attic
ip http secure-server
ip telnet server
interface gigabitethernet1
switchport mode access
exit
interface gigabitethernet2
switchport mode access
switchport access vlan 3
switchport general pvid 3
exit                                                  
interface gigabitethernet3
switchport mode access
exit
interface vlan 3
name Public
exit

Select allOpen in new window