Migration Toolkit Docs

Phase 2 Requirements

Pre-Validate Requirements

Complete infrastructure checklist for ap convert pre-validate specific-aps command. Covers network requirements, server connectivity, and company network alternatives to Aruba Central.

What Pre-Validate Actually Checks

The ap convert pre-validate specific-aps command runs on the Mobility Master/Controller and verifies each AP in the convert list against Aruba Central. It checks:

AP Registration

AP must exist and be registered in Aruba Central

Device Not Found

Fails if AP is not added to Central inventory

Subscription Status

AP must have an active Aruba Central subscription (license)

Central Reachability

Controller must reach Aruba Central API via HTTPS/443

Network & Protocol Requirements

From Controller to Aruba Central

ServerAruba Central API Gateway (apigw)
URLhttps://apigw-prod2.central.arubanetworks.com
Port443 (HTTPS)
ProtocolTLS 1.2+
AuthBearer token (Aruba Central API key)

Critical Infrastructure Checklist

Connectivity

  • Controller can reach api.central.arubanetworks.com on port 443
  • Network firewall allows outbound HTTPS (TCP/443) to Aruba Central
  • No proxy/web-filter intercepting HTTPS to Central (or proxy configured)
  • DNS resolution for apigw-prod2.central.arubanetworks.com working

Aruba Central Setup

  • All APs in convert list are added to Central inventory
  • Each AP has an active Aruba Central subscription (license assigned)
  • Central API token/bearer is valid and has sufficient permissions
  • AP groups/CNX groups configured in Central match convert list

Controller Setup

  • Central API credentials configured on the Mobility Master
  • AP names in convert list exactly match Central inventory names
  • Convert list contains only AOS-10-eligible APs
  • Controller has management network connectivity

Company Network Alternatives to Aruba Central

If your organization cannot use Aruba Central servers directly, these are infrastructure options available on your company network:

Internal DNS

Alternative

Standard: DNS server on company network

Company Alternative: On-premises DNS (e.g., Active Directory, BIND)

Impact: For hostname resolution (apigw-prod2.central.arubanetworks.com lookup)

Notes: Must support CNAME/A record resolution to Central

NTP / Time Sync

Alternative

Standard: Network Time Protocol for clock synchronization

Company Alternative: Company NTP servers (e.g., Active Directory NTP, internal NTP pool)

Impact: Pre-validate validates timestamps; clock skew causes auth failures

Notes: Recommended: UTC offset ±5 seconds max for API authentication

Proxy / Web Filter

Alternative

Standard: Outbound HTTPS inspection or gateway

Company Alternative: Corporate proxy with Central URL bypass or whitelist

Impact: If present, must be configured to pass Central API traffic transparently

Notes: Certificate inspection on Central API will cause validation failures

SYSLOG / Audit Logging

Alternative

Standard: Controller-side event logging

Company Alternative: Company SYSLOG servers (e.g., Splunk, ELK, Graylog)

Impact: Pre-validate results can be logged locally, no Central dependency

Notes: Configure on controller: 'log4 level info' and 'log4 syslog'

Aruba Central On-Premises

Alternative

Standard: Local Central instance (if licensed)

Company Alternative: On-premises Aruba Central (Data Center version)

Impact: Pre-validate points to local Central instance instead of cloud

Notes: Requires license and separate deployment; all APs must be migrated to local Central first

Pre-Validate Failure Scenarios

Device not found

Cause: AP not added to Aruba Central inventory

Resolution: Add AP to Central via UI or API

No subscription

Cause: AP registered in Central but no license assigned

Resolution: Assign Aruba Central subscription/license to AP

Central unreachable

Cause: Controller cannot reach apigw-prod2.central.arubanetworks.com:443

Resolution: Check firewall, proxy, DNS; verify outbound HTTPS allowed

API auth failed

Cause: Bearer token invalid or expired

Resolution: Regenerate Central API key and update controller settings

Time sync issue

Cause: Controller clock skew > ±5 seconds

Resolution: Sync controller time via NTP or manual adjustment

CNX group mismatch

Cause: AP group in controller doesn't exist in Central

Resolution: Create matching AP group in Central or update controller group name

Quick Reference: Pre-Validate Requirements

RequirementStandard (Aruba Central)Company AlternativeCritical?
Central API Gatewayapigw-prod2.central.arubanetworks.com:443On-premises Central (if licensed)✓ Yes
HTTPS / TLS 1.2+Port 443, encryptedCorporate TLS proxy (must not inspect Central)✓ Yes
API AuthenticationAruba Central bearer tokenCustom bearer (if using on-prem Central)✓ Yes
DNS ResolutionPublic DNSCompany DNS with external resolution✓ Yes
NTP / Time SyncAny NTP poolCompany NTP server✓ Yes (±5s max)
AP RegistrationAdded to Central inventoryPre-migration to local Central✓ Yes
Subscription / LicenseAruba Central subscriptionLicense assignment still required✓ Yes
Logging / AuditCentral consoleCompany SYSLOG servers○ Optional

Best Practices for Pre-Validate Success

  1. Verify controller → Central connectivity before running pre-validate (e.g., test with curl from controller)
  2. Check time sync on controller (must be within ±5 seconds of NTP time)
  3. Confirm API token is valid and has proper Central permissions
  4. Pre-populate Central inventory with all APs before running pre-validate
  5. Assign subscriptions/licenses to each AP in Central before pre-validate
  6. Run pre-validate on small batch first (5–10 APs) to validate infrastructure before full migration
  7. Review failure report — toolkit generates a TXT file listing all APs that failed and remediation steps