Windows update fails with ISATAP-like addresses
Bernhard Schmidt
berni at birkenwald.de
Fri Jul 24 08:33:19 CEST 2015
Hi,
> Hi Everyone,
>>
>> if anyone within MSFT could contact me on- or off-list about this issue
>> I would be very grateful.
>>
>> we run a reasonably large on-campus deployment of ISATAP for Windows
>> clients in areas where native IPv6 is not possible. This has worked fine
>> for years and still is. I'm well aware of all the pros and cons of
>> ISATAP and I don't want a religious debate about using tunnels right now.
>>
>> A couple of months ago we started hearing about stray Windows update
>> issues on Windows 8.1 hosts that had ISATAP connectivity. If the host
>> has native IPv6, VPN-tunneled IPv6 or no IPv6 at all it works just fine.
>>
>> The issue has now become more prevalent (also with Windows 7) and I had
>> the chance to debug this issue. The client displays an error code
>> 80072F76 (unknown error)
>
> I'm happy to report that the MSRC (Microsoft Security Response Center)
> followed up on this and Windows Update for ISATAP hosts is fixed since
> at least September 17th. According to them the fix is not final yet, but
> I can confirm that all our issues are resolved.
We are getting reports that this has been broken for at least four
weeks, again. ISATAP clients are broken, normal native clients work fine.
It is harder to trace from the outside this time since they are using
HTTPS this time. WindowsUpdate.log says
2015-07-24 07:09:51:479 936 e80 DnldMgr Contacting regulation server
for 2 updates.
2015-07-24 07:09:51:494 936 e80 IdleTmr WU operation (Regulator
Refresh) started; operation # 177; does use network; is at background
priority
2015-07-24 07:09:51:557 936 e80 EP Got
7971F918-A847-4430-9279-4A52D1EFE18D redir Client/Server URL:
"https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx"
2015-07-24 07:09:51:573 936 e80 PT WARNING: Cached cookie has expired
or new PID is available
2015-07-24 07:09:51:838 936 bd4 Service UpdateNetworkState Ipv6,
cNetworkInterfaces = 4.
2015-07-24 07:09:59:133 936 e80 IdleTmr WU operation
(CAgentProtocolTalker::GetCookie_WithRecovery) started; operation # 178;
does use network; is at background priority
2015-07-24 07:09:59:894 936 e80 WS WARNING: Nws Failure:
errorCode=0x803d0000
2015-07-24 07:09:59:894 936 e80 WS WARNING: Fehler bei der
Kommunikation mit dem Endpunkt bei
"https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx".
2015-07-24 07:09:59:894 936 e80 WS WARNING: In der Antwort des Servers
fehlt der HTTP-Header für den Inhaltstyp.
2015-07-24 07:09:59:894 936 e80 WS WARNING: MapToSusHResult mapped Nws
error 0x803d0000 to 0x80240439
2015-07-24 07:09:59:894 936 e80 WS WARNING: Web service call failed
with hr = 80240439.
2015-07-24 07:09:59:894 936 e80 WS WARNING: Current service auth
scheme='None'.
2015-07-24 07:09:59:894 936 e80 WS WARNING: Proxy List used: '(null)',
Bypass List used: '(null)', Last Proxy used: '(null)', Last auth Schemes
used: 'None'.
2015-07-24 07:09:59:894 936 e80 WS FATAL: OnCallFailure failed with
hr=0X80240439
The german error message in the middle says "Missing Content-Type HTTP
header".
I don't see a Content-Type header when trying with curl at all, but
again the headers are vastly different between IPv4/native IPv6 on one
side and ISATAP on the other.
% sudo curl -I --interface eth0 -k
https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
HTTP/1.1 400 Bad Request
Cache-Control: private
Content-Length: 0
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 24 Jul 2015 06:31:31 GMT
% sudo curl -4 -I --interface eth0 -k
https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
HTTP/1.1 400 Bad Request
Cache-Control: private
Content-Length: 0
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Fri, 24 Jul 2015 06:31:50 GMT
% sudo curl -I --interface is0 -k
https://fe2.update.microsoft.com/v6/ClientWebService/client.asmx
HTTP/1.1 200 OK
Content-Length: 0
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Fri, 24 Jul 2015 06:32:00 GMT
I will try to reactivate my Microsoft case I had back then.
Regards,
Bernhard
More information about the ipv6-ops
mailing list