5G NAS - Security Mode Reject

Message Fact Sheet

Protocol	nas	Network	5g
Spec	3GPP TS 24.501	Spec Section	8.2.22
Direction	UE to AMF	Message Type	5GMM signaling

Full message name	5G NAS - Security Mode Reject
Protocol	NAS
Technology	5G
Direction	UE to AMF
Interface	N1
Signaling bearer / channel	NAS signaling / Dedicated NAS message, commonly transported via UL Information Transfer
Typical trigger	Sent after Security Mode Command when the UE cannot accept the selected NAS security context.
Main purpose	Rejects the commanded NAS security activation when the UE cannot apply the selected algorithms, key context, or related security parameters.
Main specification	3GPP TS 24.501, 8.2.22
Release added	Release 15
Procedures where used	5G Initial Registration, Mobility Registration Update, Service handling with failed security activation
Related timers	T3560
Related cause values	5GMM cause

What is Security Mode Reject in simple terms?

Security Mode Reject is the NAS message the UE sends when it cannot accept the NAS security configuration selected by the AMF in Security Mode Command.

Rejects the commanded NAS security activation when the UE cannot apply the selected algorithms, key context, or related security parameters.

Why this message matters

Security Mode Reject means the UE could not accept the NAS security settings chosen by the network.

Where this message appears in the call flow

5G Initial Registration

Call flow position: UE rejection branch after Security Mode Command when NAS security activation cannot be completed.

Typical state: Authentication may have succeeded, but the UE is unable to continue into the selected protected NAS state.

Preconditions:

The UE has received Security Mode Command.
The UE cannot accept the commanded security configuration.

Next likely message: Registration failure handling, status handling, or later retry

Mobility Registration Update

Call flow position: Negative response branch during NAS security establishment or refresh.

Typical state: The update path cannot continue with the current NAS security selection.

Preconditions:

The network attempted to activate or refresh NAS security.

Next likely message: Procedure abort, status handling, or retry

Call flow position

Previous message(s): Security Mode Command, Authentication Response, Authentication Result

Next message(s): 5GMM Status, Registration Reject, Procedure abort or fresh retry

Message direction and transport

Sender and receiver: UE to AMF

Interface: N1

Domain: Core-side mobility management signaling with radio-side NAS transport

Signaling bearer: NAS signaling

Logical channel: Dedicated NAS message, commonly transported via UL Information Transfer

Transport / encapsulation: NAS 5GS message carried end-to-end between UE and AMF

Security context: This message appears when NAS security activation fails at the UE side, so it is the key failure branch of the NAS security procedure.

Message Structure Overview

Security Mode Reject is the UE-side negative branch of the NAS security activation procedure.
In troubleshooting, the first useful item is the cause value because it explains why the UE would not enter the selected protected NAS state.

ASN.1 Message Syntax for 5G NAS - Security Mode Reject

This message is not typically analyzed as ASN.1 on the wire. It is usually read as a NAS or protocol field structure instead.

Security Mode Reject follows NAS 24.501 IE structure and is not an ASN.1 message.

5G NAS - Security Mode Reject - Example Dump

Security Mode Reject
  Extended Protocol Discriminator: 5G Mobility Management
  Security Header Type: Plain NAS
  Message Type: Security Mode Reject
  5GMM Cause: UE security capabilities mismatch

How to read this dump

The key field is the 5GMM cause because it explains why the UE could not continue the NAS security procedure.
This message should always be correlated with the immediately preceding Security Mode Command.

Important Information Elements

IE	Required	Description
`5GMM cause`	Yes	Explains why the UE rejected the NAS security activation, for example because the security mode was not accepted.

Detailed field explanation

`5GMM cause`

Explains why the UE rejected the NAS security activation, for example because the security mode was not accepted.

Presence: Required

In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.

What to check in logs and traces

Confirm the message directly follows Security Mode Command.
Inspect the 5GMM cause value first.
Compare the rejection with the selected algorithms and ngKSI in the earlier command.
Check whether the UE capabilities replayed by the network matched what the UE actually supports.
Correlate the rejection with the later failure behavior such as Registration Reject, status handling, or UE retry.

Common Issues and Troubleshooting

The UE sends Security Mode Reject during registration.

Likely cause: The UE cannot accept the selected NAS security configuration or finds it inconsistent with its capabilities or context.

What to inspect: Check the 5GMM cause, selected algorithms, ngKSI, and replayed UE security capabilities in Security Mode Command.

Next step: Compare the failure against a known-good authentication and security trace and verify core-side security selection logic.

Registration fails immediately after authentication even though authentication looked normal.

Likely cause: The failure is in NAS security activation rather than authentication itself.

What to inspect: Use Security Mode Reject as the branch marker and move analysis backward to Security Mode Command rather than Authentication Request.

Next step: Confirm whether the AMF selected unsupported or inconsistent NAS security parameters.

FAQ

What does Security Mode Reject do in 5G NAS?

It tells the network that the UE cannot accept the selected NAS security configuration from Security Mode Command.

What usually happens after Security Mode Reject?

The current procedure typically fails, moves into status or reject handling, or must be retried with a fresh context.

Is Security Mode Reject the same as Authentication Failure?

No. Authentication Failure belongs to the authentication challenge stage, while Security Mode Reject belongs to the later NAS security activation stage.

Related message pages

Related Procedures

Related Tools

Use This Reference in Practice

Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.