The catalogs don’t seem to point at the root server, they point at the SUA server.
You can check the root server cache and see if a copy of the catalogs are already there. It should be in a file with a matching SHA1 or SHA256 file name. If they are already on the root server, then this suggests to me that the clients are all trying to download the file directly from the SUA server that they cannot reach in all cases, which is causing the issue.
If the catalogs are not already on the root server, then they could be added the same way JAVA updates are manually cached. If the catalogs are not already on the root server, then it STILL may be the case that the clients are trying to download them directly from SUA and this is why it is failing.
You may need to check the endpoints that are failing and see if they are set to download files directly from the internet instead of going through their parent relay.