locked
Fresh Server 2012 unable to connect to WSUS RRS feed

  • Question

  • I've got an odd problem with any new server I build not being able to connect to the WSUS server after the first batch of updates. All servers are Windows Server 2012 Datacenter Edition. Here's how the problem presents itself:

    1.  I create a new VM in vCenter, boot to the Server 2012 ISO and install with GUI.

    2.  Install VMware Tools and configure network settings.

    3.  Join to domain.

    4. Launch Windows Update from Control Panel, install Windows Update update directly from Microsoft and then enable updates for all Microsoft products.

    5.  Close and relaunch Windows Update (by this time GPO has configured WSUS client settings) and check for updates.  Install about 160 updates from WSUS and reboot.

    At this point, I can no longer connect to the WSUS server for updates.  I can check/install directly from Microsoft just fine but if I try to check from WSUS I get error code 8024401C.  This only effects new servers.  Pre-existing servers using the exact same WSUS GPO settings work without any problems.

    I've tried all the basics with regard to resetting Windows Updates settings on the server.  Here's what I'm getting in the log:

    ###########
    2015-08-28	13:20:21:444	 832	b24	AU	## START ##  AU: Search for updates
    2015-08-28	13:20:21:444	 832	b24	AU	#########
    2015-08-28	13:20:21:444	 832	b24	AU	<<## SUBMITTED ## AU: Search for updates  [CallId = {CB653DB1-9EB4-42F6-82EA-8FAC7FD0195A} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
    2015-08-28	13:20:21:444	 832	e3c	Agent	*************
    2015-08-28	13:20:21:444	 832	e3c	Agent	** START **  Agent: Finding updates [CallerId = AutomaticUpdatesWuApp]
    2015-08-28	13:20:21:444	 832	e3c	Agent	*********
    2015-08-28	13:20:21:444	 832	e3c	Agent	  * Online = Yes; Ignore download priority = No
    2015-08-28	13:20:21:444	 832	e3c	Agent	  * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
    2015-08-28	13:20:21:444	 832	e3c	Agent	  * ServiceID = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7} Managed
    2015-08-28	13:20:21:444	 832	e3c	Agent	  * Search Scope = {Machine & All Users}
    2015-08-28	13:20:21:444	 832	e3c	Agent	  * Caller SID for Applicability: S-1-5-21-1559891966-2041265-1563503735-10285
    2015-08-28	13:20:21:444	 832	e3c	EP	Got WSUS Client/Server URL: "http://wsus.domain.com:8530/ClientWebService/client.asmx"
    2015-08-28	13:20:21:444	 832	e3c	Setup	Checking for agent SelfUpdate
    2015-08-28	13:20:21:444	 832	e3c	Setup	Client version: Core: 7.8.9200.17185  Aux: 7.8.9200.17185
    2015-08-28	13:20:21:444	 832	e3c	EP	Got WSUS SelfUpdate URL: "http://wsus.domain.com:8530/selfupdate"
    2015-08-28	13:20:21:444	 832	e3c	Misc	Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\wuident.cab with dwProvFlags 0x00000080:
    2015-08-28	13:20:21:460	 832	e3c	Misc	 Microsoft signed: NA
    2015-08-28	13:20:21:460	 832	e3c	Misc	 Infrastructure signed: Yes
    2015-08-28	13:20:21:460	 832	e3c	Misc	Validating signature for C:\Windows\SoftwareDistribution\SelfUpdate\TMP5651.tmp with dwProvFlags 0x00000080:
    2015-08-28	13:20:21:460	 832	e3c	Misc	 Microsoft signed: NA
    2015-08-28	13:20:21:460	 832	e3c	Misc	 Infrastructure signed: Yes
    2015-08-28	13:20:21:460	 832	e3c	Setup	FATAL: GetClientUpdateUrl failed, err = 0x8024D009
    2015-08-28	13:20:21:460	 832	e3c	Setup	Skipping SelfUpdate check based on the /SKIP directive in wuident
    2015-08-28	13:20:21:460	 832	e3c	Setup	SelfUpdate check completed.  SelfUpdate is NOT required.
    2015-08-28	13:20:21:975	 832	e3c	PT	+++++++++++  PT: Synchronizing server updates  +++++++++++
    2015-08-28	13:20:21:990	 832	e3c	PT	  + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = http://wsus.domain.com:8530/ClientWebService/client.asmx
    2015-08-28	13:20:21:990	 832	e3c	PT	WARNING: Cached cookie has expired or new PID is available
    2015-08-28	13:20:21:990	 832	e3c	EP	Got WSUS SimpleTargeting URL: "http://wsus.domain.com:8530"
    2015-08-28	13:20:21:990	 832	e3c	PT	Initializing simple targeting cookie, clientId = c3dc7a2c-f8d4-4f7e-88e6-eee941d84bc1, target group = Servers - Manual, DNS name = dev-sharepoint.domain.com
    2015-08-28	13:20:21:990	 832	e3c	PT	  Server URL = http://wsus.domain.com:8530/SimpleAuthWebService/SimpleAuth.asmx
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: Nws Failure: errorCode=0x803d0006
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: Original error code: 0x80072ee2
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: There was an error communicating with the endpoint at 'http://wsus.domain.com:8530/ClientWebService/client.asmx'.
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: There was an error receiving the HTTP reply.
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: The operation did not complete within the time allotted.
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: The operation timed out
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: Web service call failed with hr = 8024401c.
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: Current service auth scheme='None'.
    2015-08-28	13:22:11:446	 832	e3c	WS	WARNING: Proxy List used: '(null)', Bypass List used: '(null)', Last Proxy used: '(null)', Last auth Schemes used: 'None'.
    2015-08-28	13:22:11:446	 832	e3c	WS	FATAL: OnCallFailure(hrCall, m_error) failed with hr=0x8024401c
    2015-08-28	13:22:11:446	 832	e3c	PT	WARNING: PTError: 0x8024401c
    2015-08-28	13:22:11:446	 832	e3c	PT	WARNING: SyncUpdates_WithRecovery failed.: 0x8024401c
    2015-08-28	13:22:11:446	 832	e3c	PT	WARNING: Sync of Updates: 0x8024401c
    2015-08-28	13:22:11:446	 832	e3c	PT	WARNING: SyncServerUpdatesInternal failed: 0x8024401c
    2015-08-28	13:22:11:446	 832	e3c	Agent	  * WARNING: Failed to synchronize, error = 0x8024401C
    2015-08-28	13:22:11:446	 832	e3c	Agent	  * WARNING: Exit code = 0x8024401C
    2015-08-28	13:22:11:446	 832	e3c	Agent	*********
    2015-08-28	13:22:11:446	 832	e3c	Agent	**  END  **  Agent: Finding updates [CallerId = AutomaticUpdatesWuApp]
    2015-08-28	13:22:11:446	 832	e3c	Agent	*************
    2015-08-28	13:22:11:446	 832	e3c	Agent	WARNING: WU client failed Searching for update with error 0x8024401c
    2015-08-28	13:22:11:446	 832	ba0	AU	>>##  RESUMED  ## AU: Search for updates [CallId = {CB653DB1-9EB4-42F6-82EA-8FAC7FD0195A} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
    2015-08-28	13:22:11:446	 832	ba0	AU	  # WARNING: Search callback failed, result = 0x8024401C
    2015-08-28	13:22:11:446	 832	ba0	AU	#########
    2015-08-28	13:22:11:446	 832	ba0	AU	##  END  ##  AU: Search for updates  [CallId = {CB653DB1-9EB4-42F6-82EA-8FAC7FD0195A} ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}]
    2015-08-28	13:22:11:446	 832	ba0	AU	#############
    2015-08-28	13:22:11:446	 832	ba0	AU	All AU searches complete.
    2015-08-28	13:22:11:446	 832	ba0	AU	  # WARNING: Failed to find updates with error code 8024401c
    2015-08-28	13:22:11:446	 832	ba0	AU	AU setting next detection timeout to 2015-08-29 01:22:11

    Any ideas out there?


    • Edited by GavenBP Friday, August 28, 2015 8:41 PM
    Friday, August 28, 2015 8:28 PM

All replies

  • The first batch of updates working may have been a fluke. Now even that does not work. The ReportingEvents.log in SoftwareDistribution shows this error:

    {D5E925A0-EE28-4762-B4ED-223EABF3246D} 2015-08-28 13:54:22:424-0700 1 148 [AGENT_DETECTION_FAILED] 101 {00000000-0000-0000-0000-000000000000} 0 8024401c AutomaticUpdates Failure Software Synchronization Windows Update Client failed to detect with error 0x8024401c.

    The IIS log shows multiple posts to 'http://wsus.domain.com:8530/ClientWebService/client.asmx' which would appear to be where it gets stuck.

    • Edited by GavenBP Saturday, August 29, 2015 12:43 AM Better information
    Friday, August 28, 2015 8:43 PM
  • Hi,

    According to the log, client can't access the WSUS server with the error code HTTP 408, which means that the server timed out waiting for the request.

    Serveral reasons may cause this error, such as firewall, proxy, system file corruption.

    Please try to use dism to check if any system file is corrupt on the client.

    https://support.microsoft.com/en-us/kb/947821

    If it doesn't work, please disable the firewall on both server and client.

    If it still doesn't work, we may need to perform a network capture on the WSUS server to check the detailed communication between server and client.

    To download network monitor, please click the link below:

    https://www.microsoft.com/en-hk/download/details.aspx?id=4865

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, August 31, 2015 1:51 AM
  • I ran DISM on both WSUS server and client - no change. Firewall is already disabled on both. Servers are in the same layer 2 subnet so there's no router in the middle. I did a network capture. I see a bunch of checksum errors - maybe that's a clue. How do I send you the capture file?
    Monday, August 31, 2015 7:20 PM
  • Is your WSUS itself patched and up to date with

    https://support.microsoft.com/en-au/kb/2938066 ?

    (it sounds a little bit like your new servers are getting updates ok from MSFT but then can't communicate with your WSUS, which could be due to your WSUS needing an update)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, August 31, 2015 9:42 PM
  • It would appear that my WSUS server is fully patched.  Checking from both itself and Microsoft show no available updates and if I try to install the update you linked it says it's already installed.

    I'm thinking the reason existing server can still connect and new ones can't must have something to do with setting up the agent on the client side.  I suppose I could test by removing SoftwareDistribution folder from a working server but I really don't like the idea of trying to break a production server when the result isn't even expected to yield a solution.

    FYI - I compared all the advanced NIC setting between working and non-working servers and found no differences.  As such, I don't think it's the VXNet3 driver.

    Regardless, thank you.

    Monday, August 31, 2015 11:10 PM
  • Update: This is not specific to new Server 2012 VMs. Brand new Windows 7 x64 laptop have the same problem. Workstations that were already registered with WSUS continue to work just fine. New computers do show in the WSUS console but they never report status.
    Tuesday, September 1, 2015 8:34 PM
  • Log on to any of the affected machines and check the WindowsUpdate.log within the Windows directory, this should give you more insight.
    • Proposed as answer by Gramelot Tuesday, September 1, 2015 8:42 PM
    • Unproposed as answer by GavenBP Wednesday, September 2, 2015 12:31 AM
    Tuesday, September 1, 2015 8:42 PM
  • Thank you for your comment. Please refer to the code block in my first post. Best I can tell I'm getting Layer-3 checksum errors on new clients when posting to this URL: http://wsus.domain.com:8530/ClientWebService/client

     
    Tuesday, September 1, 2015 11:37 PM
  • I don't consider this a solution but I have stumbled upon a work around. If I change the client configuration from http on 8530 to https on 8531 the checksum errors go away and clients can install the WUA and register with the WSUS server.  That makes me think this is actually an IIS problem.
    Wednesday, September 2, 2015 10:07 PM