GlobalProtect connection is Failing with Error "Matching client config not found"

GlobalProtect connection is Failing with Error "Matching client config not found"

284718
Created On 04/16/19 13:47 PM - Last Modified 10/08/24 20:15 PM


Symptom


  • GlobalProtect Portal authentication using a web browser is successful
  • GlobalProtect Logs display authentication to the portal and gateway as successful
  • However, GlobalProtect app connection fails with the error "Matching client config not found"
GlobalProtect Logs under Monitor tab


Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • GlobalProtect (GP) App
  • GlobalProtect Portal
  • GlobalProtect Gateway agent configuration with Active Directory (AD) group(s)


Cause


  • The username being used by the GP app is not on the list of "Source User" tab of GP gateway agent configuration OR
  • The username is not on the member list of the AD group(s) OR
  • The username learnt through GP app doesn't match the username format in the AD group(s)


Resolution


  1. Navigate to Network > GlobalProtect > Gateway, click the Gateway name > AgentClient Settings > Config Selection Criteria tab.
  2. Make sure the username that the GP app is trying to use is added in the "Source User".
  3. If the user is a member of an AD group, make sure the AD group is added in the "Source User".
  4. If the username or AD Group is already added, check "User Domain" configuration in Group Mapping settings and Authentication Profile.
  • For example: Let's say the user is trying to connect to GlobalProtect with username gpuser.
  • If the GP gateway "Source User" is configured with the AD Group say cn=it_operations,cn=users,dc=pandomain,dc=com, check the output of below command:
> show user group name cn=it_operations,cn=users,dc=pandomain,dc=com

source type: service
source:      AD_Group_Mapping_al.com
[1     ] pandomain\gpuser
[2     ] pandomain\alex
[3     ] pandomain\paloaltouser
  • In this case, username gpuser will not match pandomain\gpuser in the AD group.
  • Configuring "User Domain" with pandomain in Authentication Profile will fix the issue.


Additional Information


Refer to GlobalProtect is not getting the configuration when user authenticates to the portal successfully for guidance on the same error seen with GP Portal.
 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLc9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language