Fortinet Community

This article describes how to resolve issues when trying to import the dynamic address entries (EMS or ZTNA tags) when error 'DYNAMIC_ADDRESS_UPDATE_RETVAL_CMDB_ERROR' appears.

To confirm if the FortiGateis giving this error, run below commands:

# diag debug reset
# diag debug disable
# diag debug application fcnacd -1
# diag debug console time enable
# diag debug enable

2022-11-18 10:26:06 [sys_handle_dynamic_address_update:935] Command:update (2)

2022-11-18 10:26:06 [__process_dynamic_address_entries:798] command type:2 addresses entries:6

2022-11-18 10:26:06 [__process_dynamic_address_entries:846] address after apply:

[ { "uuid": "2E27C402-6352-45E5-83DD-92E73E1395ED", "tag_properties": { "name": "ZTNA-Tag1", "type": "zero_trust" }, "type": "ipblock", "values": [ ], "re

sult": "DYNAMIC_ADDRESS_UPDATE_RETVAL_CMDB_ERROR" } ]

2022-11-18 10:26:06 [ec_ez_worker_process:393] Call completed with failure.

    obj-id: 11, desc: "REST API to get updates of tag endpoints.", entry: "api/v1/report/fct/tags".

    error info: Error (-1@_tags_uuid_process_result:105). Processing API failed.

FortiGate 7.0, 7.2 +

Below are a few possibilities for this issue.

A) Catastrophic configuration failure on FortiGate.

To confirm this, try to create fqdn/subnet based address object on the FortiGate.

B) The FortiGate has the maximum number of addresses already.

In such cases, delete un-used address objects from the FortiGate.

C) There is already an address object configured with the same name as to be imported ZTNA tag and referenced in FortiGate configuration for example in the firewall policy.

In such case rename the referenced address object or change the name of ZTNA/EMS tag

Is still issue persists, create a support ticket with Fortinet TAC and provide the output of below commands:

# diag debug reset
# diag debug disable
# diag debug application fcnacd -1
# diag debug console time enable
# diag debug enable