How to troubleshoot WSUS connection failures

Applies to: System Center Configuration Manager (current branch - version 1610)System Center Configuration Manager (current branch - version 1702)System Center Configuration Manager (current branch - version 1706) More

Home users: This article is intended only for technical support agents and IT professionals. If you're looking for help with a problem, please ask the Microsoft Community.

Introduction


This article introduces several procedures for troubleshooting Windows Server Update Service (WSUS) connection failures.

Verify the prerequisites


  • If you are using WSUS 3.0 SP2 on Windows Server 2008 R2, you must have update KB 4039929 or a later-version update package installed on the WSUS server.

    To verify the server version, follow these steps:
     
    1. Open the WSUS console.
    2. Click the server name.
    3. Locate the version number under "Overview, Connection, Server Version."
    4. Check whether the version is 3.2.7600.283 or a later version.
  • If you are using WSUS on Windows Server 2012 or a later version, you must have one of the following Security Quality Monthly Rollups or a later-version rollup installed on the WSUS server:

Note If you're using System Center Configuration Manager and the Software Update Point is installed on a remote site system server, the WSUS Administration console must be installed on the site server. For WSUS 3.0 SP2, KB 4039929 or a later update must also be installed on the WSUS Administration console. After you install 4039929 (remotely or locally), a server restart is required. After the restart, check whether the issue persists.

Troubleshoot connection failures


To troubleshoot connection failures, follow these steps:

  1. Verify that the Update Services service and the World Wide Web Publishing Service are running on the WSUS server.
  2. Verify that the default website or WSUS Administration website is running on the WSUS server.
  3. Review the IIS logs for the WSUS Administration website (c:\inetpub\logfiles), and check for errors.

Code definitions

The following table defines common error codes. For more information about HTTP status code in IIS, see The HTTP status code in IIS 7.0, IIS 7.5, and IIS 8.0.

ID

Explanation

200

Success

206

Continuation: OK

401

Authorization: OK if followed by 200

403

Access failure: Certificate issues or incorrect IIS configuration.

404

Not found: Missing Virtual directory or IIS configuration

500

Service not available

503

Busy: This can be caused by a WSUS application pool memory issue or just too many client connections. To fix the issue, increase the WSUS Application Pool Private memory limit to 4–8 GB. Some environments may require more than 8 GB; adjust this setting as needed.

See Configure an Application Pool to Recycle after Reaching Maximum Used Memory (IIS 7).


Note Accessing most WSUS URLs in a browser will return a "403" error.

"503" errors in IIS may be accompanied by "xxxx2ee2" errors in the c:\windows\windowsupdate.logs file on clients.

To resolve "503" IIS errors, a client time-out, or a large number of roundtrip errors, see the following WSUS maintenance blog entry:

The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance.

If a client’s IP address doesn't appear in the IIS logs, verify that the client is set to connect to the correct WSUS server. This situation may also occur because of network blocking or because the server logs a special error.

  • On the WSUS server, check the C:\windows\system32\logfiles\httperr logs for errors.
  • On the client, check the following registry subkey to determine whether the correct FQDN of the WSUS server is set:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Note For Configuration Manager clients, check the ccm\logs\locationservices.log for a WSUS entry to verify that the client is getting the correct server URL. You may have to force the Configuration Manager client to run another scan by using the Software Updates Scan Cycle from the agent in order for the service to log this entry.