That is correct.
Please check the following:
1. Start a continuous ping from the client to the AP.
2. Aruba# show datapath session ap-name <name of AP> | include <ip-address of wired client>
We need to check the output for the above command to make sure ICMP traffic is reaching AP's datapath.
3. Aruba# show datapath session table | include <ip-address of wired client>
We should see ICMP traffic destined to wired client in output of above command . As the AP sends back the ICMP replies inside the IPSEC tunnel , it will eventually hit controller's datapath & then go out to the client.
In addition to above please check the following output:
Aruba #show firewall | include ICMP
Stateful ICMP Processing Disabled --->This is disabled by default
In case it is enabled, controller will drop the ICMP packets destined to wired client as they will be treated
as Unsolicited packets . The reason is that controller never saw the ICMP request coming in but then sees that ICMP responses are going out.
In case you have access to AP's shell, netstat -rn will show the routing table of the AP.