Problems downloading updates
Steve Rochford
updates.
If I use BITSadmin then I get info like the one below - I'm guessing error
0x00000005 means access denied but I'm not sure what's denying access!
The proxy server listed is working fine (and allows anonymous access; it's a
Squid server)
I've completely uninstalled and reinstalled WSUS; it performs the initial
synch and gets details of about 6,000 updates but then fails to download the
updates.
I've checked permissions on the d:\wsus folder and sub-folders; network
service has rights there (full control on the "wsuscontent" folder). I've
monitored the process with sysinternals procmon; this shows the svchost
process creating folders under d:\wsus\wsuscontent and a zero byte temp file.
The BITS process then just stops, giving the transient error message.
Where do I go next??
Steve Rochford
GUID: {04884D31-7316-4300-A810-66B28E0424E2} DISPLAY:
0bdb6950-a724-4ad9-8948-0633bc81d2bf
TYPE: DOWNLOAD STATE: TRANSIENT_ERROR OWNER: NT AUTHORITY\NETWORK SERVICE
PRIORITY: HIGH FILES: 0 / 1 BYTES: 0 / UNKNOWN CREATION TIME: 30/03/2008
14:14:43 MODIFICATION TIME: 30/03/2008 14:14:44 COMPLETION TIME: UNKNOWN
NOTIFY INTERFACE: UNREGISTERED NOTIFICATION FLAGS: 3 RETRY DELAY: 600 NO
PROGRESS TIMEOUT: 86400 ERROR COUNT: 1 PROXY USAGE: OVERRIDE PROXY LIST:
wstud5:3128 PROXY BYPASS LIST: <local>
ERROR FILE:
http://au.download.windowsupdate.com/msdownload/update/v5/eula/officexpeula_esn.txt -> d:\WSUS\WsusContent\DB\0877EE5
78B633B547ADEEE386E04C570E50D33DB.txt
ERROR CODE: 0x800703eb - Cannot complete this function.
ERROR CONTEXT: 0x00000005 - The error occurred while the remote file was
being processed.
DESCRIPTION: SUSFile
JOB FILES:
0 / UNKNOWN WORKING
http://au.download.windowsupdate.com/msdownload/update/v5/eula/officexpeula_esn.txt -> d:\WSUS\WsusContent\DB\0877EE578B633B547ADEEE386E04C570E50D33DB.txt
NOTIFICATION COMMAND LINE: none
Lawrence Garvin [MVP]
news:4724FCA4-C87B-44EE...@microsoft.com...
> Using WSUS 3.0 SP1; it has been working fine but has now stopped
> downloading
> updates.
You know what the standard question is to any issue that starts with "it was
working.. but now it isn't"???
So..... What Changed???
> The proxy server listed is working fine (and allows anonymous access; it's
> a
> Squid server)
Ahh.. the infamous Squid_Server_With_WSUS scenario.
Obviously it's *NOT* "working fine".. or you'd be able to download content
(like you were before). :-)
> I've completely uninstalled and reinstalled WSUS; it performs the initial
> synch and gets details of about 6,000 updates but then fails to download
> the
> updates.
The Squid server is the culprit, no doubt.
Did your "Squid administrator" make some changes, enhancements, upgrades,
etc. recently to the Squid server?
> Where do I go next??
The first place I'd start is a simple Google search on the two keywords
"Squid" and "WSUS",
but a more directed search on Google Groups against this newsgroup
(microsoft.public.windows.server.update_services)
is guaranteed to drop a half dozen or so threads, one or more of which
concerns your situation, I expect.
The Google search will get you links like these:
http://microsoft-server-operating-systems.hostweb.com/TopicMessages/microsoft.public.windows.server.update_services/1976464/1/Default.aspx
(which is actually a copy of a thread from this newsgroup in October,
2006)
http://blog.tiensivu.com/aaron/archives/79-Squid,-BITS,-WSUS-and-you-they-all-dont-get-along..html
--
Lawrence Garvin, M.S., MCBMSP, MCTS(x4), MCP
Senior Data Architect, APQC, Houston, Texas
Microsoft MVP - Software Distribution (2005-2008)
MS WSUS Website: http://www.microsoft.com/wsus
My Websites: http://www.onsitechsolutions.com;
http://wsusinfo.onsitechsolutions.com
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
Steve Rochford
> > downloading
> > updates.
>
> You know what the standard question is to any issue that starts with "it was
> working.. but now it isn't"???
>
> So..... What Changed???
Only thing I'm aware of that's changed is that the IP range allowed to use
Squid has been reduced but the WSUS server is stil in the allowed range. If I
set IE to use the Squid proxy then it works fine. Sophos enterprise console
is on the same server, configured to use the same squid server and it works
fine.
> > The proxy server listed is working fine (and allows anonymous access; it's
> > a
> > Squid server)
>
> Ahh.. the infamous Squid_Server_With_WSUS scenario.
>
> Obviously it's *NOT* "working fine".. or you'd be able to download content
> (like you were before). :-)
>
>
> > I've completely uninstalled and reinstalled WSUS; it performs the initial
> > synch and gets details of about 6,000 updates but then fails to download
> > the updates.
>
> The Squid server is the culprit, no doubt.
Seems likely but what I should also have mentioned is that I've also pointed
the WSUS server at an ISA 2004 server and it fails in the same way. There's
nothing in the log on either the ISA server or the Squid server to suggest
that an attempt was made which was denied or failed (nothing at all showing
an attempt to retrieve from microsoft.com or windowsupdate.com)
> > Where do I go next??
>
> The first place I'd start is a simple Google search on the two keywords
> "Squid" and "WSUS",
> but a more directed search on Google Groups against this newsgroup
> (microsoft.public.windows.server.update_services)
> is guaranteed to drop a half dozen or so threads, one or more of which
> concerns your situation, I expect.
>
> The Google search will get you links like these:
<snip>
Thanks - I've looked at those but they just seem to be people saying "Squid
doesn't work with my WSUS" rather than how to fix it! More than happy to
abandon Squid if I could get it working with ISA instead. On the ISA server
I've set the first rule to allow all outbound protocols from 10.128.0.2 to
the external network for all users - I'm guessing that this should let
everything through which WSUS needs but no joy.
In an attempt to completely take WSUS out of the picture I've used bitsadmin
to create a job to just download a web page; this also fails in the same way
so I'm wondering if the problem is with BITS rather than WSUS but I don't
know what I can do to troubleshoot that!
Steve
Lawrence Garvin [MVP]
> More than happy to
> abandon Squid if I could get it working with ISA instead.
I'll be happy to help you troubleshoot the scenario with ISA. I know for a
fact it works with ISA2000 and ISA2004 (I'm currently running my system thru
ISA2004.)
> On the ISA server
> I've set the first rule to allow all outbound protocols from 10.128.0.2 to
> the external network for all users - I'm guessing that this should let
> everything through which WSUS needs but no joy.
It should. So, what does the ISA Monitor say about the WSUS Server
attempting to access the outside world through the ISA firewall?
Does the ISA Server require authentication? Did you recently upgrade your
WSUS Server? (One of those "things that changed" concerns.)
If yes to either of these, RESET the account name and password stored in
the WSUS Proxy Authentication configuration.
Note also that WSUS 3 SP1 now provides TWO port definitions for use with a
proxy -- one for HTTP, and a separate one for HTTPS. I believe both ports
will need to be properly identified -- even if the ISA is just passing
through the traffic on the same port.
> In an attempt to completely take WSUS out of the picture I've used
> bitsadmin
> to create a job to just download a web page; this also fails in the same
> way
> so I'm wondering if the problem is with BITS rather than WSUS but I don't
> know what I can do to troubleshoot that!
It could be. As noted in the Squid articles, there's a known issue with how
BITS sends authentication information. If your ISA Server requires
authentication, it could be that BITS is not properly authenticating with
the ISA Server (or the Squid server, for that matter).
The key, in any event, will be in the ISA Monitor logs. Set up a filter on
the monitor to look at only traffic that sources from the WSUS Server, so
you can easily see the allowed/denied events for the WSUS Server. Then
initiate a manual synchronization from the WSUS Server and note what is
logged on the ISA.