locked
Win2008 servers not updating through WSUS RRS feed

  • Question

  • I support servers at multiple locations and recently a number of the servers have stopped pulling updates from WSUS.  They either appear as "Not yet reported" or have an old Last reported date.  This issue appears to be proxy related, even though these servers do not go through a proxy.  Below is the extract from one of the Windowsupdate.log files -

    WARNING: Send failed with hr = 80072f78.
    WARNING: SendRequest failed with hr = 80072f78. Proxy List used: <ISAProxySrv:3141> Bypass List used : <(null)> Auth Schemes used : <>
    FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072f78
    Last proxy send request failed with hr = 0x80072F78, HTTP status code = 0
    Caller provided proxy = No
    Proxy list used = ISAProxySrv:3141
    Bypass list used = <NULL>
    Caller provided credentials = No
    Impersonate flags = 0
    Possible authorization schemes used

    I assume the issue is with that "Proxy List used: <ISAProxySrv:3141>.   I have no idea where that is coming from.

    I've attempted to clear the setting using netsh winhttp commands, and a show proxy returns with Direct Access (no proxy server).  In IE, the Auto Detect is not checked.  I've researched and read through a lot of the sites related to that 80072f278 error, and I've yet to find anything that is fixing this problem.  It started happening on 8/27/2014 on all of the servers at one site, and one 1 or 2 servers at 4 other sites.

    I am at a loss...

    Wednesday, October 1, 2014 7:30 PM

Answers

  • Figured it out.  We had a company doing penetration tests that spoofed any of our servers on the vlans where the penetration servers were setup and were set to Auto Detect.

    Thanks for your help.

    • Marked as answer by PatSitel Tuesday, October 7, 2014 7:27 PM
    Tuesday, October 7, 2014 7:27 PM

All replies

  • Hi,

    First, make sure that the client can access the WSUS server. To verify this, please use the command below,

    • telnet hostname of WSUS server:port

    If telnet can't establish or keep the connection. It should be a network issue. Please consult your network administrator about this issue.

    To verify if the client use the proxy, please check the registry below,

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\

    Please make sure that no setting is under the Wpad and the value of ProxyEnable is 0.

    Best Regards.



    Steven Lee

    TechNet Community Support

    Thursday, October 2, 2014 8:25 AM
  • Hi Steven, thanks for the reply.

    Telnet connects without issue.  The ProxyEnable was already set to 0, and I cleared out the entries under WPAD.  I stopped and started the wuauserv and bits and tried windows update again, still getting an error.  Log below-

    Server URL = https://(servername removed)/SimpleAuthWebService/SimpleAuth.asmx
    WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <ISAProxySrv:3141> Bypass List used : <(null)> Auth Schemes used : <>
    FATAL: SOAP/WinHttp - SendRequest: SendRequestUsingProxy failed. error 0x80072ee2
    Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0
    Caller provided proxy = No
    Proxy list used = ISAProxySrv:3141
    Bypass list used = <NULL>
    Caller provided credentials = No
    Impersonate flags = 0
    Possible authorization schemes used =
    WARNING: GetAuthorizationCookie failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200
    WARNING: Failed to initialize Simple Targeting Cookie: 0x80072ee2
    WARNING: PopulateAuthCookies failed: 0x80072ee2
    WARNING: RefreshCookie failed: 0x80072ee2
    WARNING: RefreshPTState failed: 0x80072ee2
    WARNING: Sync of Updates: 0x80072ee2
    WARNING: SyncServerUpdatesInternal failed: 0x80072ee2
    WARNING: Failed to synchronize, error = 0x80072EE2
    WARNING: Exit code = 0x80072EE2
    *********
    **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    *************
    WARNING: WU client failed Searching for update with error 0x80072ee2
    >>##  RESUMED  ## AU: Search for updates [CallId = {A8E22B13-94EE-4634-8794-233BAFB151D3}]
    # WARNING: Search callback failed, result = 0x80072EE2
    # WARNING: Failed to find updates with error code 80072EE2
    #########
    ##  END  ##  AU: Search for updates [CallId = {A8E22B13-94EE-4634-8794-233BAFB151D3}]
    #############
    Need to show Unable to Detect notification
    Successfully wrote event for AU health state:1
    AU setting next detection timeout to 2014-10-02 21:23:57
    Setting AU scheduled install time to 2014-10-06 08:00:00
    Successfully wrote event for AU health state:1
    Successfully wrote event for AU health state:1
    WARNING: Cached cookie has expired or new PID is available
    Initializing simple targeting cookie, clientId = af032ded-6033-4518-8951-3bfd0f1df801, target group = NAC-DC, DNS name = us200k8nacdc04.nac.sitel-world.net
    Server URL = https://(servername removed)/SimpleAuthWebService/SimpleAuth.asmx

    Thursday, October 2, 2014 4:37 PM
  • I assume the issue is with that "Proxy List used: <ISAProxySrv:3141>.

    I concur.
    I have no idea where that is coming from.

    I've attempted to clear the setting using netsh winhttp commands, and a show proxy returns with Direct Access (no proxy server).  In IE, the Auto Detect is not checked.

    And does this permanently resolve the situation on those machines, or does the issue return?
    It started happening on 8/27/2014 on all of the servers at one site, and one 1 or 2 servers at 4 other sites.
    So there's a major clue! WHO changed WHAT on August 27???

    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Sunday, October 5, 2014 7:12 AM
  • Figured it out.  We had a company doing penetration tests that spoofed any of our servers on the vlans where the penetration servers were setup and were set to Auto Detect.

    Thanks for your help.

    • Marked as answer by PatSitel Tuesday, October 7, 2014 7:27 PM
    Tuesday, October 7, 2014 7:27 PM
  • Thanks, This was exactly my issue as well. I had a company perform Security Penetration Testing and noticed 'ISAProxySrv:3141'  Proxy setting in the C:\WindowsUdates.log file. The affected server couldn't communicate to our SCCM 2012 server and download updates. I ran the command prompt (admin), used the following netsh command to reset my proxy to direct access.

    netsh winhttp>reset proxy

    Within 15-20 minutes my updates began to download.


    Thursday, January 21, 2016 4:51 PM