Posted in VMware

πŸ› οΈ VMware – vLCM & ESXi Patching Failures – HTTP 403 Error & How I Fixed It

   Published Date: February 4, 2026  Leave a Comment on πŸ› οΈ VMware – vLCM & ESXi Patching Failures – HTTP 403 Error & How I Fixed It

πŸ“… Updated: January 27, 2026
πŸ†” Article Reference: 390121
🎯 Applies to:

VMware vSphere ESXi 7.x / 8.x
VMware vCenter Server 7.x / 8.x
VMware SDDC Manager

🚨 The Issue: Patch Downloads Failing with HTTP Error 403

While patching ESXi hosts via vCenter Lifecycle Manager (vLCM), I ran into this frustrating error:

A general system error occurred: Failed to download VIB(s)
Error: HTTP Error Code: 403

Despite vLCM reporting β€œEnabled: Yes” under Settings β†’ Patch Setup, the Connection Status stayed stuck at “Not Connected” or “Validating”.

Log traces from /var/log/vmware/vmware-updatemgr/… clearly showed:

Download failed, HTTP Error Code: 403
Downloading file failed, 0 byte downloaded.

🧠 The Root Cause

Broadcom recently changed how VMware distributes updates. The old public URLs (like https://hostupdate.vmware.com/…) are deprecated.

Now, each customer must use a tokenized, authenticated URL, unique to their Broadcom account. If your vLCM still tries to reach the old URLs or expired tokens, you’ll get 403 errors.

βœ… The Fix: Use Tokenized URLs from Broadcom

Here’s the step-by-step that worked for me:

πŸ”‘ Step 1: Get Your Download Token

Log into the Broadcom Support Portal
and retrieve your authenticated download token.

🧹 Step 2: Disable Default Repositories

In the vSphere Client:

Go to Lifecycle Manager > Settings > Patch Setup

Click Disable next to each default repo (they can’t be deleted).

πŸ” If you’re using vCenter < 8.0 U1, you must reset the Update Manager DB before adding new URLs. βž• Step 3: Add the New URLs (Replace )
https://dl.broadcom.com//PROD/COMP/ESX_HOST/main/vmw-depot-index.xml
https://dl.broadcom.com//PROD/COMP/ESX_HOST/addon-main/vmw-depot-index.xml
https://dl.broadcom.com//PROD/COMP/ESX_HOST/iovp-main/vmw-depot-index.xml
https://dl.broadcom.com//PROD/COMP/ESX_HOST/vmtools-main/vmw-depot-index.xml

πŸ”„ Step 4: Restart Update Manager Service

SSH into the vCenter Server and run:

service-control –restart vmware-updatemgr

πŸ”ƒ Step 5: Sync Updates

Go back to vSphere Client β†’ Lifecycle Manager β†’ ACTIONS β†’ Updates β†’ Sync Updates.
Wait until sync completes before applying any patches.

🧹 Still Seeing Old URLs or Tokens?

If you’re still getting errors referencing:

hostupdate.vmware.com

An old or expired token

You must reset the Update Manager DB. Use the VMware KB:
➑️ β€œResetting the VMware Update Manager Database”

πŸ“Œ Final Notes

Don’t leave old URLs enabled – they cause patch jobs to fail.

Tokens expire or may get regenerated – always use the latest one.

This issue affects both vLCM and VUM (vCenter Update Manager).

πŸ’¬ Did this help you out? Share your experience in the comments or drop a question β€” I’m happy to help fellow VMware admins stay sane through Broadcom’s changes!

πŸ”— Need a quick reference? Bookmark this post.

Author: Michael

Leave a Reply

Your email address will not be published. Required fields are marked *