What is the function of parameter Stateful ICMP Processing present on controller's firewall?
When this knob is enabled, controller's datapath will drop all Unsolicited ICMP responses if the controller has not seen the ICMP request & created a corresponding session for the same.
This knob was introduced from 220.127.116.11
Eg; In a CPSEC enabled environment, when a wired client present in different vlan than the AP tried to ping it, ICMP request will not go through the controller.
However, ICMP response from the AP will be sent inside IPSEC tunnel created between AP & controller. As controller did not see the ICMP request from the wired client, so the ICMP response packet from the AP destined to
the wired client will be dropped once it hits controller's datapath.