Mobility Anchor Controller issue - DNS resolution no longer works after non-related firewall issue

Greetings Wireless Gurus of the Forum

Got a good one for you

(and please, don't just tell me 'to upgrade'... I know its OLD code... have to have justification for management, you know the drill... )

Network Design: - see attached drawing

What happens.

Things have been just fine with our guest network until now.

Last couple weeks we have been having issues within our SAZ related to our Checkpoint Firewall.  The issue resulted in our Network Security folks making some changes, which caused the Firewalls to Fail over from Primary to Secondary. After failover and a brief outage therein, all services recovered.  The only one that did not seem to recover was our guest network. 

The symptom would be that, clients would  associate with the SSID, get an IP address, and all proper DNS Server info, but could not resolve DNS names (and therefore could not get to the authentication page.) I had to reboot all 3 of our anchor controllers for the service to start working again.  This has happened twice.

So the question is, why? No apparent messages in log. or in Show Tech.  of course opening the obligatory TAC case, but want to make sure I am getting all angles covered.

Thanks! Patrice (but please call me PATTY) Bell

