Re: Unable to download Windows Server 2022 Updates via WSA

Revantha · ‎06-13-2024

Hi,

I have whitelisted the below URLs on the SMA/M300 and pushed to the WSA :

delivery.mp.microsoft.com, .download.microsoft.com, .prod.do.dsp.mp.microsoft.com, .windowsupdate.microsoft.com, activation-v2.sls.microsoft.com, activation.sls.microsoft.com, checkappexec.microsoft.com, crl.microsoft.com, crl3.digicert.com, crl4.digicert.com, displaycatalog.md.mp.microsoft.com, displaycatalog.mp.microsoft.com, dl.delivery.mp.microsoft.com, dmd.metaservices.microsoft.com, edge.microsoft.com, fe2.update.microsoft.com, go.microsoft.com, licensing.mp.microsoft.com, login.live.com, microsoft.com, ocsp.digicert.com, purchase.mp.microsoft.com, settings-win.data.microsoft.com, slscr.update.microsoft.com, validation-v2.sls.microsoft.com, validation.sls.microsoft.com, wpa.one.microsoft.com, www.microsoft.com, .update.microsoft.com, .download.windowsupdate.com, update.microsoft.com, .windowsupdate.com, download.microsoft.com, windowsupdate.microsoft.com, ntservicepack.microsoft.com, wustat.windows.com, c.microsoft.com, watson.microsoft.com

However, the updates are not going through, i see the below in the access log any tips please..

1718328206.235 412 10.5.179.66 TCP_MISS/200 39 CONNECT tunnel://slscr.update.microsoft.com:443/ - DIRECT/slscr.update.microsoft.com - OTHER-NONE-Jump_Host-NONE-NONE-NONE-DefaultGroup-NONE <"IW_swup",9.0,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_swup",-,"-","Software Updates","-","Unknown","Unknown","-","-",0.76,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - -

Thank you

Revantha

balaji.bandi · ‎06-13-2024

TCP_MISS/200

as per proxy concern its sending out from WSA, check any Firewall after WSA blocking ? or you doing any https decryption ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amojarra · ‎06-14-2024

Hello @Revantha

as you can see in the acesslog:

OTHER-NONE-Jump_Host-NONE-NONE-NONE-DefaultGroup

OTHER means : The Web Proxy did not complete the request due to an error, such as an authorization failure, server disconnect, or an abort from the client.

on the other hand your traffic is hitting the WSA's predefined URL categories not your Custom URL CAT: "IW_swup"

Maybe it is best to

[1] as Balaji mentioned, check the upstream devices.

[2] have some PCAP in WSA, filter for Client IP and Server IP address, to see if there is any interruption.

[3] there are some known issue ( client side ) related to : slscr.update.microsoft.com.

I would say, can you please confirm this URL has the same behavior for all clients, or just some?

Windows Update: We couldn't connect to the update service. We'll try - Microsoft Community

[4] also that would be nice to filter accesslogs for slscr.update.microsoft.com, and compare which policy and URL category it is hitting for other users, or other subnets.

Side note: since you are in explicit deployment, WSA is doing the name resolution, so if you need to filter for the IP address of slscr.update.microsoft.com, you can run nslookup form CLI and find the list of IP addresses resolved for this URL.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++