Software Bulletin fails to download via PRC

Article Id: 170251
Status: Published
Updated On: 11-10-2017 10:16
Legacy Id: TECH247770
Products:
Patch Management Solution for Windows
Issue/Introduction:

Opened the Console > Actions > Software > Patch Remediation Center (PRC); highlighted the desired Bulletin(s) > Right-click > Download Packages and found the process failed to complete on several individual Software Updates

  • Note: Right-click > Distribute Packages; executes the Software Update Policy Wizard for creating the necessary policy to distribute the packages and this process also downloads the packages pre-emptively before distributing them to the target Clients.

Error downloading file - AcroRdrDCUpd1701220098_MUI.msp [C:\Program Files\Altiris\Patch Management\Packages\Updates\APSB17-24\{18fd1d47-603b-4f6e-a6eb-1dfcc137b28f}\AcroRdrDCUpd1701220098_MUI.msp] from ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/1701220098/AcroRdrDCUpd1701220098_MUI.msp. Error: Exception of type 'Altiris.NS.TaskManagement.TaskStoppedException' was thrown.

Cause:

Separate situational causes confirmed via WireShark or network sniffing tool: 

  1. Confirmed download was hindered by Firewall, Router or other network security device as the vendor (e.g. Adobe) appeared to be providing the URL via a DNS round-robin distribution:
    • Isolated the IP needed to be whitelisted for download by Filtering trace results on Source/Destination IP Filter with SMP Server IP control
       
  2. Confirmed download was hindered due to TCP Checksum Offload settings being disabled on the SMP Server:​
    • ​ Note: During the download process; each individual Software Update Package is assigned a checksum on successful download completion. The checksum of the package size and contents are stored in the database and referenced to the snapshot.xml physically stored on the SMP Serve
      • This provides a layer of security that prevents an individual from inserting anything malicious or otherwise unwanted into the package, for it would modify the size or contents as the checksum is compared with that of the xml from the database, and that will result in the package continually retrying download within the environment. Moreover, the Software Update will never be executed until it is confirmed status is Ready and scheduled on the hash check for the checksum across the environment.

Resolution:

Worked through the following remedial steps per confirmed cause cited above:

  1. Configure network security devices to allow URL to pass:
    • Whitelist IP's URL to open communications from the SMP Server's network and download the packages.
    • Utilize the Mask Maker Tool to isolate which URL's are required for the enabled Vendor & Software within the PMImport from TECH186657
       
  2. Configure the Checksum Offload: Disabled on the SMP Server
    • Additional settings have also been utilized as follows to help resolve the issue in another environment:
      • Chimney: Disabled
      • Autotuninglevel: Disabled
      • Congestionprovider: None
      • Ecncapability: Disabled
      • Taskoffload: Disabled
      • Timestamps: Disabled
      • RSS: Enable

Workaround to allow for Software Update distribution to get Compliance Reports in order while troubleshooting via WireShark Trace review:

  • Utilize an ITMS Console of the same version without network restrictions to download the packages:
    • Open the Console > Actions > Software > Patch Remediation Center
      • Highlight the failing Bulletin; right-click > Download/Distribute Packages
      • Store the successful downloaded Software Bulletin Package to be accessed by the SMP Server failing to download
         
  • Utilize the non-working ITMS Console: 
    • Open the Console > Settings > All Settings > Software > Patch Management > Core Settings
      • Modify the Locations tab; Download from staging location: Input Stored Software Bulletin Package local directory
    • Open the Console > Actions > Software > Patch Remediation Center:
    • Highlight the failing Bulletin; right-click > Download/Distribute Packages
    • Reconfigure Core Settings for Patch back to out-of-box to proceed with troubleshooting failed download following compliance for updates being in order
       
  • This process is detailed further in HOWTO59024; documenting the supported method for distributing updates within a DMZ, for this will temporarily resolve the issue until the root cause can be isolated and resolved

Additional articles of which to be aware:

  • TECH234933: FTP proxy known issue in ITMS 8.0
  • TECH224315: failure downloading due to database corruption on specific updates
  • TECH159956: Updates stuck in Retrying status on Client(s)
  • HOWTO54143: How to whitelist URL is using Symantec Web Gateway