This article describes how to resolve issues when trying to import the dynamic address entries (EMS or ZTNA tags) when the error 'DYNAMIC_ADDRESS_UPDATE_RETVAL_CMDB_ERROR' appears.

To confirm if the FortiGate is giving this error, run the below commands:

diag debug reset
diag debug application fcnacd -1
diag debug console time enable
diag debug enable

2022-11-18 10:26:06 [sys_handle_dynamic_address_update:935] Command:update (2)

2022-11-18 10:26:06 [__process_dynamic_address_entries:798] command type:2 addresses entries:6

2022-11-18 10:26:06 [__process_dynamic_address_entries:846] address after apply:

[ { "uuid": "2E27C402-6352-45E5-83DD-92E73E1395ED", "tag_properties": { "name": "ZTNA-Tag1", "type": "zero_trust" }, "type": "ipblock", "values": [ ], "re

sult": "DYNAMIC_ADDRESS_UPDATE_RETVAL_CMDB_ERROR" } ]

2022-11-18 10:26:06 [ec_ez_worker_process:393] Call completed with failure.

    obj-id: 11, desc: "REST API to get updates of tag endpoints.", entry: "api/v1/report/fct/tags".

    error info: Error (-1@_tags_uuid_process_result:105). Processing API failed.

FortiGate v7.0, v7.2 +.

Below are a few possibilities for this issue.

1. Catastrophic configuration failure on FortiGate: To confirm this, try to create fqdn/subnet based address object on the FortiGate.
2. The FortiGate has the maximum number of addresses already. In such cases, delete unused address objects from the FortiGate.
3. There is already an address object configured with the same name as to be imported ZTNA tag and referenced in FortiGate configuration for example in the firewall policy. In such cases rename the referenced address object or change the name of the ZTNA/EMS tag.

If the issue persists, create a support ticket with Fortinet TAC and provide the output of the below commands:

diag debug reset
diag debug application fcnacd -1
diag debug console time enable
diag debug enable

To disable debugs:

diag debug disable