Uplink NR RRC message used by the UE to indicate that the commanded AS security activation could not be completed successfully.
Message Fact Sheet
Protocol
rrc
Network
5g
Spec
3GPP TS 38.331
Spec Section
5.3.4, 6.2.2, Annex B.1
Direction
UE -> gNB
Message Type
Security Control
Full message name
5G NR - Security Mode Failure
Protocol
RRC
Technology
5G
Direction
UE -> gNB
Interface
Uu
Signaling bearer / channel
SRB1 / UL-DCCH
Typical trigger
The UE receives SecurityModeCommand but cannot successfully verify, accept, or complete the requested AS security activation procedure.
Main purpose
Reports failure of the SecurityModeCommand procedure so the network knows the UE did not successfully activate the requested AS security configuration.
Uplink NR RRC message used by the UE to indicate that the commanded AS security activation could not be completed successfully.
Reports failure of the SecurityModeCommand procedure so the network knows the UE did not successfully activate the requested AS security configuration.
Why this message matters
SecurityModeFailure means the UE could not complete the security settings requested by the gNB, so the normal protected RRC procedure cannot continue.
Where this message appears in the call flow
Initial AS Security Activation
Call flow position: UE negative response to SecurityModeCommand when the requested AS security activation cannot be completed.
Typical state: UE is in RRC_CONNECTED but cannot proceed into a healthy protected RRC signaling state.
Preconditions:
SecurityModeCommand was received on SRB1 / DL-DCCH.
The UE could not complete the requested security activation successfully.
Next likely message: Release, recovery, or new access behavior depending on network and UE handling
5G Initial Registration
Call flow position: Failure branch inside the radio-side security activation stage of the wider registration path.
Typical state: The broader registration flow is likely to stop or recover because AS security did not complete successfully.
Preconditions:
Initial access and RRC setup succeeded.
The network initiated AS security activation.
Next likely message: Procedure abort, release, or fresh recovery path rather than normal RRC reconfiguration
Next message(s): Connection release or failure handling, New access or recovery procedure depending on implementation and scenario
Message direction and transport
Sender and receiver: UE -> gNB
Interface: Uu
Domain: Access-side radio control during AS security activation failure handling
Signaling bearer: SRB1
Logical channel: UL-DCCH
Transport / encapsulation: RRC over DCCH on SRB1 during the AS security activation procedure when the UE cannot complete the commanded security setup
Security context: SecurityModeFailure is part of the SecurityModeCommand procedure and indicates that the UE could not complete the requested AS security activation.
Message Structure Overview
SecurityModeFailure is a compact failure-report message. In practice, engineers care most about the fact that the UE explicitly rejected or failed the security activation step.
The main troubleshooting value comes from correlating this message with the preceding SecurityModeCommand and with the immediate recovery or release behavior.
This page covers the NR RRC message from TS 38.331, not NAS-layer security failure handling.
The message is intentionally small. Most of the engineering value comes from correlating it with the preceding command and understanding why the UE could not proceed with AS security activation.
The transaction identifier should match the preceding SecurityModeCommand.
This message means the UE did not complete AS security activation successfully.
After SecurityModeFailure, engineers should inspect release, recovery, or repeated access behavior rather than expecting normal RRC Reconfiguration to continue.
Important Information Elements
IE
Required
Description
rrc-TransactionIdentifier
Yes
Transaction identifier matching the SecurityModeCommand transaction that failed.
criticalExtensions
Yes
Versioned wrapper around the SecurityModeFailure payload and any future-compatible extensions.
failureType
Optional
If present in the decoded view or implementation context, this helps indicate the failure category. Engineers should verify against the exact release and decoder behavior.
lateNonCriticalExtension
Optional
Extension container for later release evolution and compatibility handling.
nonCriticalExtension
Optional
Forward-compatible extension branch for later additions.
Detailed field explanation
rrc-TransactionIdentifier
Transaction identifier matching the SecurityModeCommand transaction that failed.
Presence: Required
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
criticalExtensions
Versioned wrapper around the SecurityModeFailure payload and any future-compatible extensions.
Presence: Required
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
failureType
If present in the decoded view or implementation context, this helps indicate the failure category. Engineers should verify against the exact release and decoder behavior.
Presence: Optional
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
lateNonCriticalExtension
Extension container for later release evolution and compatibility handling.
Presence: Optional
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
nonCriticalExtension
Forward-compatible extension branch for later additions.
Presence: Optional
In practice: In practice, compare this field with the original request and with any later release-dependent optional fields so you can see whether the network accepted the same service model the UE asked for.
What to check in logs and traces
Confirm the message follows SecurityModeCommand and uses SRB1 / UL-DCCH.
Verify the transaction identifier matches the preceding command.
Check whether the UE also logged integrity verification, algorithm acceptance, or other security activation issues.
Inspect whether the network releases the connection or starts any recovery action immediately afterward.
Correlate with core-side and radio-side traces to determine whether the root problem is algorithm handling, key context, or procedure sequencing.
Common Issues and Troubleshooting
UE sends SecurityModeFailure immediately after SecurityModeCommand.
Likely cause: The UE could not complete the requested AS security activation, often due to integrity verification issues, algorithm mismatch, or inconsistent security context.
What to inspect: Check the selected algorithms, UE security capability assumptions, transaction matching, and any integrity-related UE logs.
Next step: Compare with a successful trace and verify whether the network selected a supported and expected security configuration.
SecurityModeFailure appears and the connection is released.
Likely cause: The network cannot continue protected connected-mode signaling after a failed AS security activation.
What to inspect: Check the immediate release or recovery behavior after the failure.
Next step: Treat the security activation failure as the root event rather than chasing later missing RRC messages.
No SecurityModeComplete appears, only failure handling.
Likely cause: The procedure followed the failure branch instead of the success branch.
What to inspect: Check whether the UE explicitly sent SecurityModeFailure or silently stopped responding.
Next step: Distinguish between explicit failure, silent drop, and trace-loss artifacts.
Engineers expect RRCReconfiguration after SecurityModeFailure.
Likely cause: Normal protected follow-up signaling is usually blocked once AS security activation fails.
What to inspect: Check whether the network aborted or restarted the procedure instead.
Next step: Shift troubleshooting toward recovery behavior rather than normal post-security flow.
LTE / 5G / Variant Comparison
Compared with SecurityModeComplete
SecurityModeComplete is the successful UE confirmation path. SecurityModeFailure is the explicit negative path indicating that AS security activation did not succeed.
FAQ
What does SecurityModeFailure mean in 5G NR?
It means the UE could not successfully complete the AS security activation requested by SecurityModeCommand.
Who sends SecurityModeFailure?
The UE sends SecurityModeFailure to the gNB.
What comes before SecurityModeFailure?
SecurityModeCommand comes immediately before it in the failure branch.
What happens after SecurityModeFailure?
The network usually cannot continue normal protected RRC signaling and may release the connection or trigger recovery handling.
Does SecurityModeFailure explain the full reason in detail?
Usually no. Engineers often need surrounding trace context to understand the real root cause.
How is SecurityModeFailure different from SecurityModeComplete?
SecurityModeComplete confirms success, while SecurityModeFailure is the explicit UE-side failure path.
Decode this message with the 3GPP Decoder, inspect the related message database, or open the matching call flow to see where this signaling step fits in the full procedure.