Hi Peter,
You are correct. Here is the explanation,
(Master) #show ip route
C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
C 192.168.2.3/32 is an ipsec map default-psk-redundant-master-ipsecmap
(Standby) #show ip route
C 192.168.2.6/32 is an ipsec map default-local-master-ipsecmap192.168.2.6
C 192.168.2.4/32 is an ipsec map default-psk-redundant-master-ipsecmap
(Local) #show ip route
C 192.168.2.0/27 is directly connected, VLAN49
C 192.168.2.4/32 is an ipsec map default-local-master-ipsecmap
On Master, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". On Local, there is an ipsec map to Master, "default-local-master-ipsecmap".
On Standby, there is an ipsec map to local, "default-local-master-ipsecmap192.168.2.6". Note the ipsec map name. On Local, there is NO ipsec map to Standby. Local controller will have an ipsec map only to the Master, not to the standby.
On the Local controller, the ipsec map is created only to the Master. Not to the Standby.
The ipsec tunnel is in fact made to the VRRP IP (192.168.2.10) between the Master and Standby when you configured the Local.
When you ping from Local,
The traffic may go out, since it would take the directly connected route.
The return traffic from Standby,
This should take the ipsec map as per the routing table. This is only a map on the routing table of Standby, but the local controller doesn't have an ipsec map for standby. This means there is NO ipsec tunnel to the Local controller. So, the traffic will be dropped since the route entry is not valid. The ipsec map on the Standby will take effect when the Standby controller takes the Master role.
(Local) #show datapath session table | include 4500
192.168.2.6 192.168.2.10 17 4500 4500 0/0 0 0 255 0/0/0 2862 0 0 F
192.168.2.10 192.168.2.6 17 4500 4500 0/0 0 0 0 0/0/0 2862 0 0 FC
This explanation is based on my understanding and not from any official Aruba documents.
Thanks,
Rajaguru Vincent