Phase 2 Requirements
Pre-Validate Requirements
Complete infrastructure checklist for ap convert pre-validate specific-aps command. Covers network requirements, server connectivity, and company network alternatives to Aruba Central.
What Pre-Validate Actually Checks
The ap convert pre-validate specific-aps command runs on the Mobility Master/Controller and verifies each AP in the convert list against Aruba Central. It checks:
AP Registration
AP must exist and be registered in Aruba Central
Device Not Found
Fails if AP is not added to Central inventory
Subscription Status
AP must have an active Aruba Central subscription (license)
Central Reachability
Controller must reach Aruba Central API via HTTPS/443
Network & Protocol Requirements
From Controller to Aruba Central
https://apigw-prod2.central.arubanetworks.comCritical Infrastructure Checklist
Connectivity
- Controller can reach api.central.arubanetworks.com on port 443
- Network firewall allows outbound HTTPS (TCP/443) to Aruba Central
- No proxy/web-filter intercepting HTTPS to Central (or proxy configured)
- DNS resolution for apigw-prod2.central.arubanetworks.com working
Aruba Central Setup
- All APs in convert list are added to Central inventory
- Each AP has an active Aruba Central subscription (license assigned)
- Central API token/bearer is valid and has sufficient permissions
- AP groups/CNX groups configured in Central match convert list
Controller Setup
- Central API credentials configured on the Mobility Master
- AP names in convert list exactly match Central inventory names
- Convert list contains only AOS-10-eligible APs
- Controller has management network connectivity
Company Network Alternatives to Aruba Central
If your organization cannot use Aruba Central servers directly, these are infrastructure options available on your company network:
Internal DNS
AlternativeStandard: DNS server on company network
Company Alternative: On-premises DNS (e.g., Active Directory, BIND)
Impact: For hostname resolution (apigw-prod2.central.arubanetworks.com lookup)
Notes: Must support CNAME/A record resolution to Central
NTP / Time Sync
AlternativeStandard: Network Time Protocol for clock synchronization
Company Alternative: Company NTP servers (e.g., Active Directory NTP, internal NTP pool)
Impact: Pre-validate validates timestamps; clock skew causes auth failures
Notes: Recommended: UTC offset ±5 seconds max for API authentication
Proxy / Web Filter
AlternativeStandard: Outbound HTTPS inspection or gateway
Company Alternative: Corporate proxy with Central URL bypass or whitelist
Impact: If present, must be configured to pass Central API traffic transparently
Notes: Certificate inspection on Central API will cause validation failures
SYSLOG / Audit Logging
AlternativeStandard: Controller-side event logging
Company Alternative: Company SYSLOG servers (e.g., Splunk, ELK, Graylog)
Impact: Pre-validate results can be logged locally, no Central dependency
Notes: Configure on controller: 'log4 level info' and 'log4 syslog'
Aruba Central On-Premises
AlternativeStandard: Local Central instance (if licensed)
Company Alternative: On-premises Aruba Central (Data Center version)
Impact: Pre-validate points to local Central instance instead of cloud
Notes: Requires license and separate deployment; all APs must be migrated to local Central first
Pre-Validate Failure Scenarios
Device not found
Cause: AP not added to Aruba Central inventory
Resolution: Add AP to Central via UI or API
No subscription
Cause: AP registered in Central but no license assigned
Resolution: Assign Aruba Central subscription/license to AP
Central unreachable
Cause: Controller cannot reach apigw-prod2.central.arubanetworks.com:443
Resolution: Check firewall, proxy, DNS; verify outbound HTTPS allowed
API auth failed
Cause: Bearer token invalid or expired
Resolution: Regenerate Central API key and update controller settings
Time sync issue
Cause: Controller clock skew > ±5 seconds
Resolution: Sync controller time via NTP or manual adjustment
CNX group mismatch
Cause: AP group in controller doesn't exist in Central
Resolution: Create matching AP group in Central or update controller group name
Quick Reference: Pre-Validate Requirements
| Requirement | Standard (Aruba Central) | Company Alternative | Critical? |
|---|---|---|---|
| Central API Gateway | apigw-prod2.central.arubanetworks.com:443 | On-premises Central (if licensed) | ✓ Yes |
| HTTPS / TLS 1.2+ | Port 443, encrypted | Corporate TLS proxy (must not inspect Central) | ✓ Yes |
| API Authentication | Aruba Central bearer token | Custom bearer (if using on-prem Central) | ✓ Yes |
| DNS Resolution | Public DNS | Company DNS with external resolution | ✓ Yes |
| NTP / Time Sync | Any NTP pool | Company NTP server | ✓ Yes (±5s max) |
| AP Registration | Added to Central inventory | Pre-migration to local Central | ✓ Yes |
| Subscription / License | Aruba Central subscription | License assignment still required | ✓ Yes |
| Logging / Audit | Central console | Company SYSLOG servers | ○ Optional |
Best Practices for Pre-Validate Success
- Verify controller → Central connectivity before running pre-validate (e.g., test with curl from controller)
- Check time sync on controller (must be within ±5 seconds of NTP time)
- Confirm API token is valid and has proper Central permissions
- Pre-populate Central inventory with all APs before running pre-validate
- Assign subscriptions/licenses to each AP in Central before pre-validate
- Run pre-validate on small batch first (5–10 APs) to validate infrastructure before full migration
- Review failure report — toolkit generates a TXT file listing all APs that failed and remediation steps