Connection to GlobalProtect is Failing with Error "Matching client config not found"

Connection to GlobalProtect is Failing with Error "Matching client config not found"

238748
Created On 04/16/19 13:47 PM - Last Modified 03/22/24 20:14 PM


Symptom


  • GlobalProtect configured on the firewall
  • When logging in to GlobalProtect portal using a web browser, authentication is successful
  • System Logs display authentication to the portal and gateway as successful
  • Still, GlobalProtect client connection fails with the error "Matching client config not found"
 
System Logs
User-added image


Environment


  • GlobalProtect Gateway
  • GlobalProtect APP
  • Authentication


Cause


This issue is seen when
  • GlobalProtect is configured with User/User group and the username being used by the client is not on the list of "Config Selection Criteria" OR
  • The username is not on the member list of Active Directory Group added under User/User group.
  • Sometimes this issue is seen when the username learnt via GlobalProtect doesn't match the username format in the group-mapping table.


Resolution


  1. Navigate to Network > GlobalProtect > Gateway, click the Gateway name > AgentClient Settings > Config Selection Criteria tab.
  2. Make sure the username that the client is trying to connect is added in the User/User group.
  3. If the user is a member of an AD group, make sure the AD group is added in the User/User group.
  4. If the username or AD Group is already added, check "Domain User" config in User-ID Group Mapping settings and Authentication Profile.
  • Example: The user is trying to connect to GlobalProtect with username gpuser.
  • If the GlobalProtect gateway's User/User group is configured with an AD Group ( lets say cn=it_operations,cn=users,dc=pandomain,dc=com), check the output of below command:
> show user group name cn=it_operations,cn=users,dc=pandomain,dc=com

source type: service
source:      AD_Group_Mapping_al.com
[1     ] pandomain\gpuser
[2     ] pandomain\alex
[3     ] pandomain\paloaltouser
  • In this case, username gpuser will not match pandomain\gpuser in group mapping table. Configuring "User Domain" with pandomain in Authentication Profile will fix the issue.


Additional Information


For additional information, here are some article for reference:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CliyCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVcCAK


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLc9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language