Matching client config not found

[aallrd]

Hello,

Thank you for this application that is already a lot nicer than the official Palo Alto GlobalProtect client on Linux.

I am trying to connect to our GlobalProtect gateway using a SAML authentication but so far I am unable to make it work.
I have installed the client on my Fedora Workstation 34 using the project's documentation and it worked without a glitch.
The first time I clicked on Connect I had my company authentication webpage prompting me for my username/password but then it stayed in status Not Connected.
Clicking on Connect after that shows Authenticating... then it brings out a pop-up that closes very fast and Not Connected again.

Here are the logs (redacted with GATEWAY, USERNAME and COMPANY):

2021-09-24 12:38:58.491 INFO  [77505] [GPClient::doConnect@245] Start connecting...
2021-09-24 12:38:58.492 INFO  [77505] [GPClient::doConnect@261] Start gateway login using the previously saved gateway...
2021-09-24 12:38:58.492 INFO  [77505] [GPClient::gatewayLogin@356] Performing gateway login...
2021-09-24 12:38:58.499 INFO  [77505] [GatewayAuthenticator::authenticate@30] Start gateway authentication...
2021-09-24 12:38:58.499 INFO  [77505] [GatewayAuthenticator::login@42] Trying to login the gateway at https://GATEWAY/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=fedora&ok=Login&direct=yes&clientVer=4100&os-version=Fedora 34 %28Workstation Edition%29&clientos=Windows&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=
2021-09-24 12:38:58.731 ERROR [77505] [GatewayAuthenticator::onLoginFinished@54] Failed to login the gateway at https://GATEWAY/ssl-vpn/login.esp, Error transferring https://GATEWAY/ssl-vpn/login.esp - server replied: Custom error
2021-09-24 12:38:58.731 INFO  [77505] [GatewayAuthenticator::doAuth@75] Perform the gateway prelogin at https://GATEWAY/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Windows
2021-09-24 12:38:58.767 INFO  [77505] [GatewayAuthenticator::onPreloginFinished@92] Gateway prelogin succeeded.
2021-09-24 12:38:58.768 INFO  [77505] [PreloginResponse::parse@26] Start parsing the prelogin response...
2021-09-24 12:38:58.768 INFO  [77505] [GatewayAuthenticator::samlAuth@151] Trying to perform SAML login with saml-method REDIRECT
2021-09-24 12:38:58.921 INFO  [77505] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.microsoftonline.com/9a839770-e9fc-4737-905c-370f65b0e224/saml2?SAMLRequest=lZJNT8MwDIb%2FSpV7mpBm%2FYjWSmU7MGmIaS0cuKA0zbZITTKSFO3ns24g4DKJo%2BXXj%2B3XnnuuhyOrx3AwW%2Fk%2BSh%2Bikx6MZ5dECUZnmOVeeWa4lp4FwZr6cc1IjNnR2WCFHUBUey9dUNYsrPGjlq6R7kMJ%2Bbxdl%2BAQwtEzhPaD7fgwFUkRoD7FenTyFAurGaUJmrAEo2aD6kUDouV5FGX4BP1BDHavTKyVcNbbXbBmUEZOBFTwPCmyDENZ7ASkWZLBAs8ETDK8S2cdloRQNO1EQLRaluANp6LLOE1x1mPR9xLjHEuaFjnlXc5n3Vnm%2FShXxgduQgkIJncQF5DQFhcsyRlNX0G0%2BbLgXplemf1tv7qryLOHtt3AzVPTguhFOn9Z8SwA1XyakF0au193uI3l3%2BaD6r9Wz9GvhtU1%2BvsN1Sc%3D&RelayState=W8YUAEXKg2AwMWZjNDkwYWE3OWQ1ODVhMmZkZTM5OTM4M2JhNzY3MA%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=BnMm6GmzLd%2F5UCOp4CipP2XkEbQdlDEwqEih0Pzdul9rpx1QU1QSAtqxCmHOPcIEqooZ3%2F%2F1ywqXL2ZPnKMph8JesyTDJY4lql24sz7EKwVOvlAdbKU%2By9q6BL22yCvCmvXgGxaU9dX0067h6sM0TsVbeRml5cM8LJxp6DXLPMVmBzSDhkQCeredSU%2FE4smwbrGGQmR9voM0scK3CRe0RI3KdZ4kk%2BG11h6bZ3d1n0oINdD75sfPnTtbfOmnVwcCLWlu7JaBZmi%2B4dJAsnwItVJ%2BKPa2vidoTdUDgXun4iORaxbTpMegWWB53AM8QLcZQHJ1rbGrrSIKuel%2FxPI5gQ%3D%3D
2021-09-24 12:38:59.098 INFO  [77505] [SAMLLoginWindow::onResponseReceived@64] Response received from https://GATEWAY/SAML20/SP/ACS
2021-09-24 12:38:59.098 INFO  [77505] [SAMLLoginWindow::onResponseReceived@67] Got username from SAML response headers USERNAME
2021-09-24 12:38:59.098 INFO  [77505] [SAMLLoginWindow::onResponseReceived@72] Got prelogin-cookie from SAML response headers ftsAG7gL8BygmaYfGaaPDvU0oh4ssVEZGJVpnvGzBw+Vz1SXUlxVzSCr7yWILHI7
2021-09-24 12:38:59.098 INFO  [77505] [SAMLLoginWindow::onResponseReceived@84] Got the SAML authentication information successfully. username: USERNAME, preloginCookie: ftsAG7gL8BygmaYfGaaPDvU0oh4ssVEZGJVpnvGzBw+Vz1SXUlxVzSCr7yWILHI7, userAuthCookie: 
2021-09-24 12:38:59.098 INFO  [77505] [GatewayAuthenticator::onSAMLLoginSuccess@165] SAML login succeeded, got the prelogin-cookie ftsAG7gL8BygmaYfGaaPDvU0oh4ssVEZGJVpnvGzBw+Vz1SXUlxVzSCr7yWILHI7
2021-09-24 12:38:59.098 INFO  [77505] [GatewayAuthenticator::login@42] Trying to login the gateway at https://GATEWAY/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&passwd=&computer=fedora&ok=Login&direct=yes&clientVer=4100&os-version=Fedora 34 %28Workstation Edition%29&clientos=Windows&portal-prelogonuserauthcookie=&ipv6-support=yes&user=USERNAME&prelogin-cookie=ftsAG7gL8BygmaYfGaaPDvU0oh4ssVEZGJVpnvGzBw%2BVz1SXUlxVzSCr7yWILHI7&portal-userauthcookie=
2021-09-24 12:38:59.118 INFO  [77505] [SAMLLoginWindow::onLoadFinished@98] Load finished https://GATEWAY/SAML20/SP/ACS
2021-09-24 12:38:59.363 INFO  [77505] [gpclient::helper::parseGatewayResponse@51] Start parsing the gateway response...
2021-09-24 12:38:59.363 INFO  [77505] [gpclient::helper::parseGatewayResponse@52] The gateway response is: <?xml version="1.0" encoding="utf-8"?><jnlp><application-desc><argument>(null)</argument><argument>96e9f5e2553d68982662477473fd8571</argument><argument>e7d77c7fd962e271813ad1e58c9b62f84fed1fc1</argument><argument>GP-Gateway-COMPANY</argument><argument>USERNAME</argument><argument>COMPANY.COM_AZURE-SAML_Auth-Prof</argument><argument>vsys1</argument><argument>%28empty_domain%29</argument><argument>(null)</argument><argument></argument><argument></argument><argument></argument><argument>notunnel</argument><argument>-1</argument><argument>4100</argument><argument></argument><argument></argument><argument></argument><argument></argument><argument>4</argument><argument>unknown</argument><argument></argument></application-desc></jnlp>
2021-09-24 12:38:59.363 INFO  [77505] [GPClient::onGatewaySuccess@373] Gateway login succeeded, got the cookie authcookie=96e9f5e2553d68982662477473fd8571&portal=GP-Gateway-COMPANY&user=USERNAME&domain=%2528empty_domain%2529&preferred-ip=&computer=fedora
2021-09-24 12:38:59.377 INFO  [77505] [GPClient::onVPNLogAvailable@489] Output of `openconnect --version`: OpenConnect version v8.10-6.fc34
Using GnuTLS 3.7.2. Features present: TPM, TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
2021-09-24 12:38:59.377 INFO  [77505] [GPClient::onVPNLogAvailable@489] Start process with arugments: --protocol=gp --os=win -u  -C authcookie=96e9f5e2553d68982662477473fd8571&portal=GP-Gateway-COMPANY&user=USERNAME&domain=%2528empty_domain%2529&preferred-ip=&computer=fedora GATEWAY
2021-09-24 12:38:59.378 INFO  [77505] [GPClient::onVPNLogAvailable@489] Openconnect started successfully, PID=88903
2021-09-24 12:38:59.388 INFO  [77505] [GPClient::onVPNLogAvailable@489] POST https://GATEWAY/ssl-vpn/getconfig.esp
2021-09-24 12:38:59.390 INFO  [77505] [GPClient::onVPNLogAvailable@489] Connected to 10.29.255.65:443
2021-09-24 12:38:59.426 INFO  [77505] [GPClient::onVPNLogAvailable@489] SSL negotiation with GATEWAY
2021-09-24 12:38:59.438 INFO  [77505] [GPClient::onVPNLogAvailable@489] Connected to HTTPS on GATEWAY with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
2021-09-24 12:38:59.450 INFO  [77505] [GPClient::onVPNLogAvailable@489] Matching client config not found
Creating SSL connection failed
2021-09-24 12:38:59.451 INFO  [77505] [GPClient::onVPNLogAvailable@489] Openconnect process exited with code 1 and exit status NormalExit

It seems that the SAML authentication works fine but it fails right after that.
I have noticed that the -u argument is not set in the final openconnect command.
I am able to reproduce the same issue by calling directly openconnect (and filling the missing username):

$ openconnect --protocol=gp --os=win -u USERNAME -C authcookie='b53fcb4ee75e2d7b7874b999156f4444&portal=GP-Gateway-COMPANY&user=USERNAME&domain=%2528empty_domain%2529&preferred-ip=&computer=fedora' GATEWAY
POST https://globalprotect-mx.murex.com/ssl-vpn/getconfig.esp
Connected to 10.29.255.65:443
SSL negotiation with GATEWAY
Connected to HTTPS on GATEWAY with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Matching client config not found
Creating SSL connection failed

I think we are using a MFA authentication process on our Windows laptops.
Do you have any idea what the issue could be?

[yuezk]

@aallrd Try to fill the Custom Parameters to --os=win and fill value of clientos to Windows.

[aallrd]

I think I already had set these values:

In the above log you can find clientos=Windows and --os=win.
(I re-tried anyway to be sure and it was the same output.)

[yuezk]

A similar issue was reported in #54. You can keep the --os=win parameter while change Windows to Linux and try again.

And a related issue in OpenConnect is https://gitlab.com/openconnect/openconnect/-/issues/246

[yuezk]

You can try to spoof the client, see https://gitlab.com/openconnect/openconnect/-/issues/246#note_582114977

[aallrd]

Reading some related issues on the openconnect project and playing also with https://github.com/dlenski/gp-saml-gui I found that the issue we are actually not using GlobalProtect as a VPN but as a user-id agent.
The related issue and details can be found here:

• connection-type=notunnel (expected tunnel) dlenski/gp-saml-gui#32
• connection to internal gateway not working due to connection-type=notunnel dlenski/openconnect#150
• https://gitlab.com/openconnect/openconnect/-/issues/81