FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aishaqui
New Contributor III
Article Id 240871

 

Description

This article describes how to resolve issues when trying to import the dynamic address entries (EMS or ZTNA tags) when error 'DYNAMIC_ADDRESS_UPDATE_RETVAL_CMDB_ERROR' appears.

 

To confirm if the FortiGateis giving this error, run below commands:

 

# diag debug reset
# diag debug disable
# diag debug application fcnacd -1
# diag debug console time enable
# diag debug enable

 

2022-11-18 10:26:06 [sys_handle_dynamic_address_update:935] Command:update (2)

2022-11-18 10:26:06 [__process_dynamic_address_entries:798] command type:2 addresses entries:6

2022-11-18 10:26:06 [__process_dynamic_address_entries:846] address after apply:

[ { "uuid": "2E27C402-6352-45E5-83DD-92E73E1395ED", "tag_properties": { "name": "ZTNA-Tag1", "type": "zero_trust" }, "type": "ipblock", "values": [ ], "re

sult": "DYNAMIC_ADDRESS_UPDATE_RETVAL_CMDB_ERROR" } ]

2022-11-18 10:26:06 [ec_ez_worker_process:393] Call completed with failure.

    obj-id: 11, desc: "REST API to get updates of tag endpoints.", entry: "api/v1/report/fct/tags".

    error info: Error (-1@_tags_uuid_process_result:105). Processing API failed.

Scope

FortiGate 7.0, 7.2 +

Solution

Below are a few possibilities for this issue.

 

A) Catastrophic configuration failure on FortiGate.

To confirm this, try to create fqdn/subnet based address object on the FortiGate.

 

B) The FortiGate has the maximum number of addresses already.

In such cases, delete un-used address objects from the FortiGate.

 

C) There is already an address object configured with the same name as to be imported ZTNA tag and referenced in FortiGate configuration for example in the firewall policy.

In such case rename the referenced address object or change the name of ZTNA/EMS tag

 

Is still issue persists, create a support ticket with Fortinet TAC and provide the output of below commands:

 

# diag debug reset
# diag debug disable
# diag debug application fcnacd -1
# diag debug console time enable
# diag debug enable

 

Contributors