Again, thanks to everyone for the help. I seem to be getting questions asked regarding items I already mentioned, so let me summarize them again in hopes this helps.
1. SEPMs are all MR4-MP2 (11.0.4202)
2. Clients are a mixture of 11.0.2020, 11.0.4202 and a couple RU5 that we are testing. The log entry "The client has downloaded the content" are showing up for all three versions and isn't necesssarily showing up at the time when the client downloaded defintions.
3. We only download definitions once a day (4am) and I keep 10 revisions of definitions on the SEPM
4. I GUPs local in each office using the same Live Update policy as the clients. When running netstat -abn on a GUP it shows smc.exe listening on the proper port. I also have tons of contect updates (as expected) in the SharedUpdates folder on the GUP
5. I have no installation packages attached to any group
My first step is to see WHAT is causing the traffic. Definitions make the most sense if they are being pulled from the SEPM instead of the local GUP, but I need a way to determine if this is the case and then go from there. I do know that MR2 clients will by-pass a GUP if they cannot connect to it, which may be causing some of my problems but I need a way to determine if that is what is happening.
Basically I want to determine what is causing the traffic instead of assuming it is definitions. Is there a way on the SEPM to see if a machine is downloading definitions from it SEPM instead of the GUP? Anything in the logs I can use or something I can look for. I have WireShark on the SEPM but there is a ton of traffic (as expected) so trying to determine what is definition traffic versus just normal traffic from a client checking-in is difficult.
Thanks,
Jeff