NAS 5G UE to AMF 3GPP TS 24.501

5G NAS - Security Mode Reject

Security Mode Reject is the NAS message the UE sends when it cannot accept the NAS security configuration selected by the AMF in Security Mode Command.

Message Fact Sheet

Protocol	nas	Network	5g
Spec	3GPP TS 24.501	Spec Section	8.2.22
Direction	UE to AMF	Message Type	5GMM signaling

Full message name	5G NAS - Security Mode Reject
Protocol	NAS
Technology	5G
Direction	UE to AMF
Interface	N1
Signaling bearer / channel	NAS signaling / Dedicated NAS message, commonly transported via UL Information Transfer
Typical trigger	Sent after Security Mode Command when the UE cannot accept the selected NAS security context.
Main purpose	Rejects the commanded NAS security activation when the UE cannot apply the selected algorithms, key context, or related security parameters.
Main specification	3GPP TS 24.501, 8.2.22
Release added	Release 15
Procedures where used	5G Initial Registration, Mobility Registration Update, Service handling with failed security activation
Related timers	T3560
Related cause values	5GMM cause

What is Security Mode Reject in simple terms?

Security Mode Reject is the NAS message the UE sends when it cannot accept the NAS security configuration selected by the AMF in Security Mode Command.

Rejects the commanded NAS security activation when the UE cannot apply the selected algorithms, key context, or related security parameters.

Why this message matters

Security Mode Reject means the UE could not accept the NAS security settings chosen by the network.

Where this message appears in the call flow

5G Initial Registration

Call flow position: UE rejection branch after Security Mode Command when NAS security activation cannot be completed.

Typical state: Authentication may have succeeded, but the UE is unable to continue into the selected protected NAS state.

Preconditions:

The UE has received Security Mode Command.
The UE cannot accept the commanded security configuration.

Next likely message: Registration failure handling, status handling, or later retry

Mobility Registration Update

Call flow position: Negative response branch during NAS security establishment or refresh.

Typical state: The update path cannot continue with the current NAS security selection.

Preconditions:

The network attempted to activate or refresh NAS security.

Next likely message: Procedure abort, status handling, or retry

Call flow position

Previous message(s): Security Mode Command, Authentication Response, Authentication Result

Next message(s): 5GMM Status, Registration Reject, Procedure abort or fresh retry

Message direction and transport

Sender and receiver: UE to AMF

Interface: N1

Domain: Core-side mobility management signaling with radio-side NAS transport

Signaling bearer: NAS signaling

Logical channel: Dedicated NAS message, commonly transported via UL Information Transfer

Transport / encapsulation: NAS 5GS message carried end-to-end between UE and AMF

Security context: This message appears when NAS security activation fails at the UE side, so it is the key failure branch of the NAS security procedure.

Message Structure Overview

Security Mode Reject is the UE-side negative branch of the NAS security activation procedure.
In troubleshooting, the first useful item is the cause value because it explains why the UE would not enter the selected protected NAS state.

Structure Syntax

This message is not typically analyzed as ASN.1 on the wire. Engineers usually inspect it as a NAS or protocol field decode rather than an ASN.1 tree.

Security Mode Reject follows NAS 24.501 IE structure and is not an ASN.1 message.

Decoded Message Dump

Security Mode Reject
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Plain NAS
  Message Type: Security Mode Reject
  5GMM Cause: UE security capabilities mismatch

How to read this dump

The key field is the 5GMM cause because it explains why the UE could not continue the NAS security procedure.
This message should always be correlated with the immediately preceding Security Mode Command.

Important Information Elements

IE	Required	Description
`5GMM cause`	Yes	Explains why the UE rejected the NAS security activation, for example because the security mode was not accepted.

Detailed field explanation

`5GMM cause`

Explains why the UE rejected the NAS security activation, for example because the security mode was not accepted.

Presence: Required

What to check in logs and traces

Confirm the message directly follows Security Mode Command.
Inspect the 5GMM cause value first.
Compare the rejection with the selected algorithms and ngKSI in the earlier command.
Check whether the UE capabilities replayed by the network matched what the UE actually supports.
Correlate the rejection with the later failure behavior such as Registration Reject, status handling, or UE retry.

Common Issues and Troubleshooting

The UE sends Security Mode Reject during registration.

Likely cause: The UE cannot accept the selected NAS security configuration or finds it inconsistent with its capabilities or context.

What to inspect: Check the 5GMM cause, selected algorithms, ngKSI, and replayed UE security capabilities in Security Mode Command.

Next step: Compare the failure against a known-good authentication and security trace and verify core-side security selection logic.

Registration fails immediately after authentication even though authentication looked normal.

Likely cause: The failure is in NAS security activation rather than authentication itself.

What to inspect: Use Security Mode Reject as the branch marker and move analysis backward to Security Mode Command rather than Authentication Request.

Next step: Confirm whether the AMF selected unsupported or inconsistent NAS security parameters.

Detailed explanation

5G NAS - Security Mode Reject Explained

Security Mode Reject is the NAS message the UE sends when it cannot accept the security configuration selected by the network in Security Mode Command. It is the failure branch of the NAS security procedure.

For beginners, the simple meaning is: the UE is telling the network that it cannot use the requested NAS security settings.
For engineers, this message is the clean breakpoint that separates successful authentication from failed NAS security activation.

What is Security Mode Reject in simple terms?

The network told the UE which NAS security settings to use. The UE could not accept those settings, so it sends Security Mode Reject instead of Security Mode Complete.

Why Security Mode Reject matters

This message matters because it tells you that the procedure did not fail in the identity stage or the authentication stage. It failed when the UE tried to activate the selected NAS security configuration.

That makes Security Mode Reject one of the most valuable branch markers in registration troubleshooting.

Where Security Mode Reject appears in the call flow

UE                              gNB / AMF
|<-- Authentication Request -----|
|--- Authentication Response ---->|
|<-- Security Mode Command ------|
|--- Security Mode Reject ------->|
|<-- Registration Reject / abort-|

It most commonly appears in registration or other 5GMM procedures where the network is activating or refreshing NAS security.

Transport characteristics

Direction: UE to AMF
Interface: N1
Transport on access side: commonly via UL Information Transfer
Security expectation: it belongs to the NAS security activation branch, so it should always be read together with the earlier Security Mode Command

What Security Mode Reject means operationally

Operationally, Security Mode Reject tells engineers that the UE refused to move into the selected protected NAS state.

The first useful checks are:

what 5GMM cause the UE reported
what algorithms and key context the network selected
whether the network replayed UE security capabilities correctly

Important Information Elements

IE	Why it matters
`5GMM cause`	Explains why the UE rejected the NAS security activation and is the first field engineers should inspect.

Example message dump

Security Mode Reject
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Plain NAS
  Message Type: Security Mode Reject
  5GMM Cause: UE security capabilities mismatch

How to read this dump

Start with the 5GMM Cause.
Then go back to the earlier Security Mode Command and compare the cause with the selected algorithms, ngKSI, and replayed UE capabilities.
After that, follow the later branch to see whether the procedure ends in Registration Reject, status handling, or a retry.

What to check in logs

verify that Security Mode Reject immediately follows Security Mode Command
inspect the 5GMM cause first
compare the reject with the selected NAS algorithms and key context
check for mismatch between actual UE support and replayed UE capabilities
correlate the rejection with the later procedure failure path

FAQ

What does Security Mode Reject do in 5G NAS?

It tells the network that the UE cannot accept the selected NAS security configuration from Security Mode Command.

What usually happens after Security Mode Reject?

The current procedure typically fails, moves into status or reject handling, or must be retried with a fresh context.

Is Security Mode Reject the same as Authentication Failure?

No. Authentication Failure belongs to the authentication challenge stage, while Security Mode Reject belongs to the later NAS security activation stage.

Summary

Security Mode Reject is the NAS message the UE sends when it cannot accept the NAS security configuration selected by the AMF in Security Mode Command.

Advanced Engineer Notes

This message is one of the clearest signs that the failure is not in identity or authentication anymore, but in NAS security activation.
If the rejection cause and the earlier command do not line up, investigate UE capability replay, key set handling, and core security-policy logic.

Related message pages

Related Procedures

Related Tools

Use This Reference in Practice

Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.