BB,

 

Tried that.  I can connect to the remote AP (after link failure via SSH) and ping the WLC no issues.

From the Central WLC I can ping the AP no issues

It is just they do not want to talk to each other any more for authentication 

AP shows are trying to connect, tried 6 times then

• "Max retransmission count exceeded, going back to DISCOVERY mode"
• Flexconnect Switching to Standalone Mode!
• CAPWAP State: DTLS Teardown

However if I reset the AP, all works fine and reconnects without any issues.

Are you using NAT between the AP and WLC?

One way is MPLS connection so no NAT.

Failover runs over VPN but traffic is not NATTED just goes over secure connection (i.e. site to site VPN)

Ok so NAT was an obvious possibility because we've seen it with that - IOS maintains NAT translations via the old path even when the routing switches and old path is down so NAT translations need to be cleared. I guess you're going to have to look at other features which might do the same - maybe firewall? If you can't work it out then best to open a case with Cisco TAC. Also stating the obvious but your WLC code is out of date and there are a LOT of fixes which have gone in since 8.5.131.0 so I'd seriously consider updating the code before opening a TAC case because that's probably the first thing they'll tell you (current is 8.5.160.0 and I know there are some bugs fixed which can cause problems with AP joins). But I see there's a warning for 8.5.160.0 "For AP1800/2800/3800 with Flexconnect local switching Deployments, Please continue to use 8.5.151.0 Images" so if you're using local switching on your 2802's then stick to 8.5.151.0.