How to troubleshoot WSUS connection failures
This article introduces several procedures for troubleshooting Windows Server Update Service (WSUS) connection failures.
Home users: This article is intended only for technical support agents and IT professionals. If you're looking for help with a problem, ask the Microsoft Community.
Original product version: Configuration Manager (current branch)
Original KB number: 4025764
Verify the prerequisites
If you are using WSUS 3.0 SP2 on Windows Server 2008 R2, you must have update 4039929 or a later-version update package installed on the WSUS server.
To verify the server version, follow these steps:
- Open the WSUS console.
- Click the server name.
- Locate the version number under Overview > Connection > Server Version.
- Check whether the version is 3.2.7600.283 or a later version.
If you are using WSUS on Windows Server 2012 or a later version, you must have one of the following Security Quality Monthly Rollups or a later-version rollup installed on the WSUS server:
If you're using Configuration Manager and the software update point is installed on a remote site system server, the WSUS Administration Console must be installed on the site server. For WSUS 3.0 SP2, KB 4039929 or a later update must also be installed on the WSUS Administration console. After you install 4039929 (remotely or locally), a server restart is required. After the restart, check whether the issue persists.
Troubleshoot connection failures
To troubleshoot connection failures, follow these steps:
- Verify that the Update Services service and the World Wide Web Publishing Service are running on the WSUS server.
- Verify that the Default website or WSUS Administration website is running on the WSUS server.
- Review the IIS logs for the WSUS Administration website (
c:\inetpub\logfiles), and check for errors.
The following table defines common error codes. For more information about HTTP status code in IIS, see The HTTP status code in IIS 7 and later versions.
|401||Authorization: OK if followed by 200|
|403||Access failure: Certificate issues or incorrect IIS configuration.|
|404||Not found: Missing Virtual directory or IIS configuration|
|500||Service not available|
|503||Busy: This can be caused by a WSUS application pool memory issue or just too many client connections. To fix the issue, increase the WSUS Application Pool Private memory limit to 4-8 GB. Some environments may require more than 8 GB; adjust this setting as needed. See Configure an Application Pool to Recycle after Reaching Maximum Used Memory (IIS 7).|
Accessing most WSUS URLs in a browser will return a 403 error.
503 errors in IIS may be accompanied by xxxx2ee2 errors in the
c:\windows\windowsupdate.log file on clients.
To resolve 503 IIS errors, a client time-out, or a large number of roundtrip errors, see The complete guide to WSUS and Configuration Manager SUP maintenance.
If a client's IP address doesn't appear in the IIS logs, verify that the client is set to connect to the correct WSUS server. This situation may also occur because of network blocking or because the server logs a special error.
On the WSUS server, check the
C:\windows\system32\logfiles\httperrlogs for errors.
On the client, check the following registry subkey to determine whether the correct FQDN of the WSUS server is set:
For Configuration Manager clients, check the
ccm\logs\locationservices.log file for a WSUS entry to verify that the client is getting the correct server URL. You may have to force the Configuration Manager client to run another scan by using the Software Updates Scan Cycle from the agent in order for the service to log this entry.