Is the Remote AP whitelisted on your 7210 for RAP operation? Has it been put into an AP group and provisioned for RAP operation? If NAT is in use between the 7210 and the Internet, has NAT-T been enabled for RAP operation?
Since you see the AP on your firewall, use "show datapath session table | inc <ip_addr_of_AP>" to see what traffic is hitting the controller and the state of that traffic.
If this issue is critical, I recommend opening a case with TAC who can work with you in real-time to troubleshoot your configuration.