Onsite today and I was checking a WSUS 2.0 server to ensure that I approved any waiting patches etc. I found that the WSUS server had stalled in the download process. It could synchronise successfully, but it sat at Downloading 0.00MB of xx MB. Screenshot below.
Checked the event logs and found this error
Event Type: Error
Event Source: Windows Server Update Services
Event Category: Synchronization
Event ID: 364
Time: 9:18:32 AM
Content file download failed. Reason: The parameter is incorrect. Source File: /msdownload/update/v3-19990518/cabpool/windowsserver2003-kb938829-x86-enu_262c3433045b22164aadaae6c3eb761ee7737f18.exe Destination File: f:\WSUS\WsusContent\18\262C3433045B22164AADAAE6C3EB761EE7737F18.exe.
Did a quick google for "364 and WSUS" and found this site http://www.wsuswiki.com/TroubleshootingWSUSInProduction
It looked simple – setting the WSUS downloads to occur in the foreground. Tried that – using both methods – both failed.
Ok – I decided to disable all the caching in ISA 2006 as some of the content I read from the google search above suggested it might be cache related. Restarted the Update Services service on the WSUS server and waited…
Nope – that didn’t work either.
Ok – I need help – I need "The Amy Babinchak – ISA goddess extraordinaire" I pinged Amy and she’s sure she’s seen this before – last time it was the McAfee AV software. Hmm – I don’t have McAfee here, but I do have Trend CSM for SMB 3.6. I added an exclusion for the F:\WSUS directory (where the database and content is stored) and tried again. That didn’t work either.
Turned to ISA 2006 Logging. I set it to show all accesses from the client IP of the WSUS server. Below is the pattern we saw when we restarted the Update Services and forced a synch – the synch works, but the updates are not downloaded.
Hmm – I thought to myself – the third column shows that I’ve got WSUS configured to use the ISA Proxy server. There’s no denied results in there, so it didn’t look like a rule problem.
I decided to modify WSUS to not use the ISA Proxy server, and instead use ISA as a SecureNAT client. To do this you remove the ISA settings from the WSUS Synchronisation Options
Then I created a rule to allow outbound HTTP and HTTPS direct from the WSUS server in ISA 2006.
Save the configuration and retry – that worked!
WSUS is now happily downloading it’s update. No idea why I needed to do this but I did.
If you know – please let me know.