Ok, the engineering need to be involved on this.
Good news is, the RAP are really able to come back, but there is somekind of incompatibility with palo-alto firewall..
The firewall is up to date, and the problem is...
to simulate a disconnect situation, I block the public IP of the RAP that arrive in controller. This is working, my RAP is turning on the Backup SSID and rebooting the wired ports, but disblocking, is not working.. the ping is able to come back, but I think there is is some kind of packets that is not been sended or able to pass through the firewall because it not coming back without a ''manual'' reboot..
I tried in another environment with a meraki firewall and the AP is able to go back by itself, and on the paloalto site I starting testing by disable the controller network interface...
But !! The wired ports are still broken, there is no away to make it rout, it can ping and comunicate with others wired users but it cannot ping its own gateway(the RAP). Another syntom that I discover is that doing a packetcapture in the specifics ports through the RAP console activate the the ping responses from the gateway, but only that, they still cannot rout beyond that.
engineering please, start looking in this feature to work on a fix !!