Clients have the primary network ip range 10.x.x.x. Some clients acting as GUPs have a second backend or admin network in the 192.168.x.x or 172.x.x.x range. These "admin" networks are not accessible by the other clients. Sometimes the GUP is advertising the inaccessible "admin" IP address to clients for updates and this is not working.
If the "admin" network addresses are disabled the clients can update normally.
Client agent acting as GUP has multiple networks it can access.
The secondary admin network is a common "192.168.1.x" subnet. They have multiple locations that are using the same network address and mask for this admin network. They have a Live Update Policy with all of the GUP types selected, both Explicit and Dynamic.
The dynamic GUP provider selection they have used a registry setting to signify a machine is a GUP. This setting is what causing the problem since it is a dynamic GUP assignment.
GUPs with interfaces on inaccessible networks are propagating these inaccessible network addresses to agents for updates thus causing these agents to try to receive an update on from an invalid address, which fails.
Remove the first option for GUP provider list; 'Multiple Group Update Providers", and only use the last two options, Explicit or Single Group Update Provider. The "Multiple Group Update Provider" option is a dynamic option. Using the second two options which are both explicit allows the customer to specify what addresses to use for GUP. It is explicit and does not allow the dynamic propagation of invalid network addresses.
They could also address the invalid networking configuration that they have set up and allow access to the admin network to all of the clients. Doing this would also allow it to work.