(imported topic written by KeyInfo)
Im trying out deploying some Windows patches for the fist time on 5 computers running XP, 7 and 2008 and all of them are stuck on Pending Downloads and wont finish the action. Some of them are stuck on the same patch while others on different patches. Ive tried to reboot some of them to see if it moved things along but no go. What does it take to get past this and also assure it doesnt happen again?
(imported comment written by WeylanWang)
For content that you are āstuckā in pending download.
This can be for a number of reasons. And can be quite complex.
what pending download means, is that the agent has reported that the agent does not have the download. The agent has asked the parent for the download, but the agent does not have the download yet.
So there are a number of reasons for the download to not be available.
It could be relay related.
It could be server related.
It could be internet source related.
You can diagnose this top down or bottom up.
If you diagnose this bottom up, you start at the agent and you check each relay till you get to the internet for the file.
You check the agent. Does the agent have the file?
Then you check the relay. Does the relay have the file?
Then you check the parent of the relay. Does that relay have the file. ā¦ Until you get to the server.
Then you check to see if the server has the file. If the server does not have the file.
You check the server can get the file from the internet.
If you are checking this top down, you first check if you can get the file from the internet.
Then you check to see if the file is on the server.
Then you check the relays.
Then you check the agent if it is geting notification that the file is available from the relay. And that the agent can get the file.
You can check the relay or the server has the file by checking the download status page on the server or the relays. By using this URL:
Download status
http://127.0.0.1:52311/cgi-bin/bfenterprise/besmirrorrequest.exe
Given this page, you can see it refers to the āloopbackā. But you can substitute the TEM server, or the relay address. Once you know where to look for the the downloads, and you know the action ID, you can find the action ID and see if for the action ID the download is ready.
You can also go to the server/relays and check to see if the file is in the SHA1 directory.
C:\Program Files\BigFix Enterprise\BES Server\wwwrootbes\bfmirror\downloads\sha1
The SHA1 directory if you look the the action script for the action you should see a line that refers to the
prefetch ā¦
This line list the SHA1 and the SHA256 value for the download, and you should be able to find a file in the directory for the download.
If all of this is true, then the agent should have the download.
Otherwise you need to look in the agent log file to see other reasons the file might not be there.
As a reminder, some patches have issues with downloads from the vendor (Microsoft, Adobe, ā¦) The file we refer to in the Fixlet changes. If this happens, you can have the pending download if the vendor removes the file. This is because the Fixlet in the current state will refer to the file as a snapshot in time when you made the action and deployed the file. If this is the case then if the file ever gets cleared from the cache, the file will not be available. And you may have to deploy the Fixlet again with the new SHA1.
As a reminder some Microsoft patches require manual downloading of the files. It depends on the Patch. In the Fixlet we document if the patch must be downloaded manually. PLEASE check the description of Fixlet for notes of if the patch must be downloaded manually.
Please post some more if you need more help with this. But while this seems like a simple thing it is pretty complicated and a lot of places to check for problems.
(imported comment written by KeyInfo)
I dont see the example patch I was looking for in the Download Status Report or in the sha1 folder. Where do I see if it has to be downloaded manually?
(imported comment written by WeylanWang)
There are 2 parts to this.
If you look at the original multi action group, you will see the action ID. Usually a 00-1111 number.
This is the action ID.
You should be able to find it by that.
BUT you have a different problem. The patch you are trying to deploy if you look at the original description says āmanual downloading requiredā.
See this KB article:
(imported comment written by KeyInfo)
Is there a way to skip this patch and let the rest finish or do I need to cancel and then exclude that one?
(imported comment written by KeyInfo)
I found this article
http://www-01.ibm.com/support/docview.wss?uid=swg21506080
And downloaded the patch and renamed it to match the sha1 value. The only thing Im not sure about is that I dont have a sha256 folder which is what the value says for the Action Info page from my attachment. I only have the sha1 folder.
So I made the sha256 folder and put it in there but I dont know if thats the right thing to do
(imported comment written by WeylanWang)
The bottom line for this, the SHA256 is used for security.
The files go in the SHA1 folder. Named with the SHA1 file name when done manually.
The files will be validate using the sha256.
The files being searched for will be IN the SHA1 folder.
The file name will be the SHA1 file name listed in the prefetch statement. NOT the SHA256.
And not in a SHA256 directory. please delete that.
(imported comment written by KeyInfo)
My action is expired so I guess I need to set it up again?
I was told there is a way to have patches installed in a way so there will only be one reboot. In other words I have noticed that some will get installed and there will be a reboot required before the rest can be installed. Is there a document somewhere I can reference to see how to set that up?
(imported comment written by GreenEagleLeader)
See the following two articles regarding Pending Restart needed:
How do you know if the āPending Restartā status is triggered by a TEM action?
http://www-01.ibm.com/support/docview.wss?uid=swg21506042
and,
Determining if a restart is needed
(imported comment written by KeyInfo)
I was also wondering if there is a way to block patches from certain servers so they donāt show up in the list of patches? So if a server doesnāt need an available patch we can āblockā it from that particular server so it wont show up anymore.
(imported comment written by GreenEagleLeader)
No this cannot be done with anything out of the box. There is not a way to add any sort of exclusion to a computer needed a patch in order to change the display/report that it is relevant and needed within the console or Web Reports. If the patch Fixlet is relevant then the computer will report that it needs that patch and is relevant for it.
(imported comment written by jgstew)
You could āblockā a server from being relevant to all patches, but not a particular patchā¦ you would just remove that server from the computer subscriptions of the patching site.
(imported comment written by KeyInfo)
Actually how do you relate the patch on the download report to the action description to see if its there?
(imported comment written by WeylanWang)
I see that you have lots of the SWDprotocol entries as failures.
Are there any custom packages you have that work?
If not, it means that the SOFTWARE DISTRIBUTION DASHBOARD is not set up correctly or that the TEM plugin service isnāt installed correctly.
The major problem with the plugin is usually the service is not running with rights to the database. If you change that it usually then starts to work.
(imported comment written by KeyInfo)
I have done a 3rd party software deployment that worked. We didnt have some of the features activated at first but I worked with a BigFix rep and he got us going.
Where would I check for the plugin?
(imported comment written by Diadem)
Iām having the same issue too.
Patching has been happening ok till 2 weeks ago when all the patch actions started reporting pending downloads. If i try downloading the same patch from the browser it is downloading ok but from the console it fails. Not sure what went wrong since no changes have been carried on in the server lately which could have affected.
Iāll appreciate your quick assistanceā¦stuck at the customer site.
(imported comment written by WeylanWang)
Diadem,
Can you check my first reply? This will completely apply to you and working the same way we can try to solve this.
I need more information.
(imported comment written by Diadem)
Hi Weylan,
Thanks for your response. The patch status shows pending downloads, but when you drill down in the descriptions, the download shows failed with an āunexpected HTTP response:502ā error.
Hi Sir,
I need your mail id for learn fixlet making So kindly share your personal or official id
My mail id :
Pesonal id :
Regards
Vicky
Vikki, I donāt think you should post your email address on the forum to avoid getting a lot of spam email. Instead, try sending a private message by clicking on someoneās username and clicking the āPrivate Messageā button.