Implementation WIFI network using MSM 760

Hello Forum,

I am trying to implement WIFI network here and runing into problem.

Below is the architecture.

The problems:

1) guest users traffic isn't going to FW interface - instead routing back to the core switch.

2) few minutes ago - I rebooted the controller and now AP are no longer visable to the controller. now getting this:

AP (name='D4:C9:EF:E3:64:9B') is silent, it may still be providing services but is unmanaged. Reason: (value='Secure connection to AP went down').

any help much appreciated.

v1910 config is 

#
version 5.20, Release 1513P99
#
sysname har-wfi-sw-01
#
clock timezone UTC add 00:00:00
#
super password level 3 cipher $c$3$S5qJ++iUrcWItWPoqyCASKz8otlwpoyzozs=
#
dhcp relay server-group 0 ip 172.31.4.50
#
domain default enable system
#
ip ttl-expires enable
#
lldp enable
lldp compliance cdp
#
password-recovery enable
#
acl number 3001 name DENY-GUEST
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 172.31.70.0 0.0.1.255
rule 5 permit ip
#
vlan 1
description DEFAULT
#
vlan 2
description VLAN 2
#
vlan 21
description VLAN 21
#
vlan 22
description VLAN 22
#
vlan 52
description VLAN 52
#
radius scheme system
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user admin
password cipher $c$3$QV1TDjaIyCnLjir+42HRCYFqwVtHbD42eZhTDH5lwsY=
authorization-attribute level 3
service-type ssh telnet terminal
service-type web
#
stp mode rstp
stp enable
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.2.2 255.255.255.0
dhcp relay server-select 0
#
interface Vlan-interface2
ip address 172.31.2.18 255.255.255.0
dhcp select relay
dhcp relay server-select 0
#
interface Vlan-interface21
ip address 172.31.21.3 255.255.255.0
dhcp select relay
dhcp relay server-select 0
#
interface Vlan-interface22
ip address 172.31.22.3 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 21 to 22 tagged
port hybrid vlan 2 untagged
port hybrid pvid vlan 2
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/2
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 21 to 22 tagged
port hybrid vlan 2 untagged
port hybrid pvid vlan 2
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/3
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 21 to 22 tagged
port hybrid vlan 2 untagged
port hybrid pvid vlan 2
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/4
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 21 to 22 tagged
port hybrid vlan 2 untagged
port hybrid pvid vlan 2
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/5
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/6
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/7
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/8
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/9
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 22 tagged
port hybrid vlan 2 untagged
port hybrid pvid vlan 2
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/10
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/11
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/12
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/13
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/14
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/15
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/16
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 52 untagged
port hybrid pvid vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/17
port access vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/18
port access vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/19
port access vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/20
port access vlan 52
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/21
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 22 untagged
port hybrid pvid vlan 22
poe enable
packet-filter 3001 inbound
stp edged-port enable
#
interface GigabitEthernet1/0/22
port access vlan 22
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/23
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 2 untagged
port hybrid pvid vlan 2
poe enable
packet-filter 3001 inbound
stp edged-port enable
#
interface GigabitEthernet1/0/24
port link-type hybrid
port hybrid vlan 21 52 tagged
port hybrid vlan 1 to 2 untagged
port hybrid pvid vlan 2
poe enable
stp edged-port enable
#
interface GigabitEthernet1/0/25
stp edged-port enable
#
interface GigabitEthernet1/0/26
stp edged-port enable
#
interface GigabitEthernet1/0/27
stp edged-port enable
#
interface GigabitEthernet1/0/28
stp edged-port enable
#
ip route-static 0.0.0.0 0.0.0.0 Vlan-interface2 172.31.2.1 preference 10
#
dhcp enable
#
ntp-service authentication enable
ntp-service source-interface Vlan-interface2
ntp-service authentication-keyid 1 authentication-mode md5 cipher $c$3$GlnrEkrpjgBmiIsXh8yMMam0ZSq3HLU=
ntp-service reliable authentication-keyid 1
ntp-service unicast-server 172.31.4.50 authentication-keyid 1
#
ssh server enable
#
user-interface aux 0
authentication-mode scheme
user-interface vty 0 15
authentication-mode scheme
#
return

 See attached file for configs.