Why must you synchronize with another WSUS server or Microsoft update?

Our WSUS environment consists of one main WSUS server at our main location that's syncing from Microsoft, and two downstream replica servers that are syncing from the main server over site-to-site VPN.  One of the downstream servers stores the update files locally and clients download the files from the server, but the other downstream server's clients download the files straight from Microsoft (don't have enough extra disk space at that location).  Both downstream servers sync from the upstream server once per day, one at 3 AM and one at 4 AM.

For some reason that I have as of yet been unable to figure out is that one of the downstream servers stopped being able to successfully sync with the upstream server sometime between 4 AM and 4:54 PM on April 12.  The scheduled sync at 4 AM was successful, but then I did a manual sync at 4:54 PM to grab the Patch Tuesday updates, and that sync was unsuccessful.  Every sync since then, both scheduled and manual syncs while I've been troubleshooting have failed.  I have restarted both the upstream and downstream servers, I have reset IIS on both servers, and I have also tried disabling the Windows firewall on both servers.  I have confirmed that the downstream server can ping the upstream server, both via IP address and DNS name, and I have also changed the downstream server to sync from the upstream's IP address instead of the DNS name.  I have also restarted the "Windows Update" and "WSUS Service" services on both servers.  Nothing has worked so far.

The part that's got me quite confused is that the error message from the WSUS console suggests that it's a network/connection issue on the upstream server's end, but the other downstream server has had no issues syncing.  I did install the April updates (KB5012123 and KB5012604 on the downstream servers and KB5012328 and KB5012647 on the upstream server), but all three of them say they were installed on the 13th, which was after the syncing errors started occurring.  The downstream servers are both Server 2022 and the upstream is 2019.  The full error message from the WSUS console is below. Event Viewer wasn't very helpful; the only error messages I could find just said "The last catalog synchronization was unsuccessful" with no other info.  The Event ID for all those events is 10022 if that's helpful.

If you have selected Use Administration Server as WSUS server in the Update management settings window of the Quick Start Wizard, the Windows Update synchronization task is created automatically. You can run the task in the Tasks folder. The functionality of a Microsoft software update is only available after the Perform Windows Update synchronization task is successfully completed.

The Perform Windows Update synchronization task only downloads metadata from Microsoft servers. If the network does not use a WSUS server, each client device downloads Microsoft updates from external servers independently.

To create a task for synchronizing Windows Updates with Administration Server:

1. In the Advanced → Application management folder in the console tree, select the Software updates subfolder.
2. Click the Additional actions button and select Configure Windows Update synchronization in the drop-down list.

   The Wizard creates the Perform Windows Update synchronization task displayed in the Tasks folder.

   The Windows Update Center Data Retrieval Task Creation Wizard starts. Follow the instructions of the Wizard.

You can also create the Windows Update synchronization task in the Tasks folder by clicking Create a task.

Microsoft regularly deletes outdated updates from the company's servers so the number of current updates is always between 200 000 and 300 000. In Kaspersky Security Center 10 Service Pack 2 Maintenance Release 1 and earlier versions, all updates were retained: no outdated updates were deleted. As a result, the database continuously grew in size. To reduce disk space usage and database size, deletion of outdated updates that are no longer present on Microsoft update servers has been implemented in Kaspersky Security Center 10 Service Pack 3.

When running the Perform Windows Update synchronization task, the application receives a list of current updates from a Microsoft update server. Next, Kaspersky Security Center compiles a list of updates that have become outdated. At the next start of the Find vulnerabilities and required updates task, Kaspersky Security Center flags all outdated updates and sets the deletion time for them. At the next start of the Perform Windows Update synchronization task, all updates flagged for deletion 30 days ago are deleted. Kaspersky Security Center also checks for outdated updates that were flagged for deletion more than 180 days ago, and then deletes those older updates.

When the Perform Windows Update synchronization task completes and outdated updates are deleted, the database may still have the hash codes pertaining to the files of deleted updates, as well as corresponding files in the %AllUsersProfile%\Application Data\KasperskyLab\adminkit\1093\.working\wusfiles files (if they were downloaded earlier). You can run the Administration Server maintenance task to delete these outdated records from the database and corresponding files.

What is the purpose of Windows Server Update Services WSUS )?

Can I have 2 WSUS servers?

What are some benefits of using WSUS to manage Windows updates?

What are the 4 stages of the WSUS update management process?