ADVFIREWALL blocking Windows Update (Network Steve Forum)

ADVFIREWALL blocking Windows Update

I have an issue on serveral Windows Server 2008 R2 machines. They are unable to get windows updates from our local wsus server. The windows advfirewall/Base Windows Filtering is blocking it. 2012-02-11 19:38:29 DROP TCP 172.31.84.232 172.31.84.211 46771 80 0 - 0 0 0 - - - SEND I have reset the firewall to the default configuration and it continues to block. I set up some extra logging with Auditpol and get the follow. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 11/02/2012 12:51:12 Event ID: 5152 Task Category: Filtering Platform Packet Drop Level: Information Keywords: Audit Failure User: N/A Computer: 'Servername' Description: The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 804 Application Name: \device\harddiskvolume1\windows\system32\svchost.exe Network Information: Direction: Outbound Source Address: 172.31.84.232 Source Port: 51862 Destination Address: 172.31.84.211 Destination Port: 80 Protocol: 6 Filter Information: Filter Run-Time ID: 104430 Layer Name: Connect Layer Run-Time ID: 48 Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>5152</EventID> <Version>0</Version> <Level>0</Level> <Task>12809</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-02-11T12:51:12.359715500Z" /> <EventRecordID>1165585</EventRecordID> <Correlation /> <Execution ProcessID="4" ThreadID="84" /> <Channel>Security</Channel> <Computer> 'Servername'</Computer> <Security /> </System> <EventData> <Data Name="ProcessId">804</Data> <Data Name="Application">\device\harddiskvolume1\windows\system32\svchost.exe</Data> <Data Name="Direction">%%14593</Data> <Data Name="SourceAddress">172.31.84.232</Data> <Data Name="SourcePort">51862</Data> <Data Name="DestAddress">172.31.84.211</Data> <Data Name="DestPort">80</Data> <Data Name="Protocol">6</Data> <Data Name="FilterRTID">104430</Data> <Data Name="LayerName">%%14611</Data> <Data Name="LayerRTID">48</Data> </EventData> </Event> If I stop the firewall for all profiles, it still blocks only when I stop the Base Windows Filtering does it work. I can use IE to access web pages. I have disable all rules in the firewall, deleting them all and still it blocks. I have tried to put an any/any rule and it still fails. The ADVfirewall is configured with all profiles enabled and inbound set to block and outbound set to allow. Surely with the default rules Windows update should work. Any help would be most appreciated.

February 11th, 2012 3:01pm

Follow this http://technet.microsoft.com/en-us/library/dd939879(WS.10).aspx Check windowsupdate.log which will log the problem.

Free Windows Admin Tool Kit Click here and download it now

February 13th, 2012 11:39am

The error is Send failed with hr = 80072efd. It is the firewall on the local server which is blocking port 80 for svchost.exe. It seems to have something to with the Windows Base Security somewhere.

February 13th, 2012 1:51pm

Hi, How did you stop the Base Windows Filtering? By stopping the Base Filtering Engine (BFE) service? The BFE service manages firewall and IPsec policies. If WSUS works fine after stopping BFE service, the problem may be caused by IPsec. I suggest you check the IPsec policies or temporarily disable it for a test. Meanwhile, as this problem is related to WSUS, I suggest you also ask in the WSUS forum. The support professional there may be more familiar with this issue and can help you in a more efficient way. WSUS forum http://social.technet.microsoft.com/Forums/en-US/winserverwsus/threads Hope the issue will be resolved soon. Regards, Bruce

Free Windows Admin Tool Kit Click here and download it now

February 16th, 2012 11:11am

This topic is archived. No further replies will be accepted.