Connection to GlobalProtect is Failing with Error "Matching client config not found"

• GlobalProtect configured on the firewall
• When logging in to GlobalProtect portal using a web browser, authentication is successful
• System Logs display authentication to the portal and gateway as successful
• Still, GlobalProtect client connection fails with the error "Matching client config not found"

• GlobalProtect Gateway
• GlobalProtect APP
• Authentication

• GlobalProtect is configured with User/User group and the username being used by the client is not on the list of "Config Selection Criteria" OR
• The username is not on the member list of Active Directory Group added under User/User group.
• Sometimes this issue is seen when the username learnt via GlobalProtect doesn't match the username format in the group-mapping table.

1. Navigate to Network > GlobalProtect > Gateway, click the Gateway name > Agent > Client Settings > Config Selection Criteria tab.
2. Make sure the username that the client is trying to connect is added in the User/User group.
3. If the user is a member of an AD group, make sure the AD group is added in the User/User group.
4. If the username or AD Group is already added, check "Domain User" config in User-ID Group Mapping settings and Authentication Profile.

• Example: The user is trying to connect to GlobalProtect with username gpuser.
• If the GlobalProtect gateway's User/User group is configured with an AD Group ( lets say cn=it_operations,cn=users,dc=pandomain,dc=com), check the output of below command:

> show user group name cn=it_operations,cn=users,dc=pandomain,dc=com

source type: service
source:      AD_Group_Mapping_al.com
[1     ] pandomain\gpuser
[2     ] pandomain\alex
[3     ] pandomain\paloaltouser

• In this case, username gpuser will not match pandomain\gpuser in group mapping table. Configuring "User Domain" with pandomain in Authentication Profile will fix the issue.