5G Registration Failure Troubleshooting
5G registration failures can happen before NAS registration starts, during the first NAS transfer, during identity and authentication handling, during security mode control, or when the AMF explicitly rejects the registration attempt. This page is designed as a fault-isolation guide rather than a protocol overview.
It starts at the radio-access edge, follows the first NAS message into NGAP and the AMF, and then maps Registration Reject and related failure behavior into practical troubleshooting steps, trace checkpoints, and root-cause buckets.
Registration Failure Ladder
Always identify the first hard failure stage before decoding reject causes or blaming the core.
Step 1: Cell access and barring
- SIB1 broadcast and access conditions
- UAC barring checks
- Cell barred and access-category issues
- Access failure before any NAS message exists
Step 2: RRC connection establishment
- RRCSetupRequest
- Establishment cause selection
- RRCSetup
- RRCReject and waitTime
Step 3: First NAS transfer to the core
- RRCSetupComplete with dedicatedNAS-Message
- NGAP Initial UE Message
- AMF selection and routing issues
Step 4: NAS registration procedure
- Registration Request
- UE identity handling
- AMF context lookup and identity derivation
- Authentication and Security Mode Control
Step 5: Registration outcome
- Registration Accept
- Registration Reject
- Retry, backoff, and upper-layer behavior
Call Flows
Use these simplified ladders to separate access-side failure, N2 handoff failure, and a normal registration path before you go deeper into cause decoding.
End-to-end registration path
Failure branch before NAS exists
Failure branch at the RRC-to-AMF handoff
Symptoms and Fast Triage
Use the symptom first, then map it to the right failure domain.
UE never leaves access attempt state
- barring or cell access issue
- RRCSetupRequest not accepted
- RRCReject and wait-time loop
RRC succeeds but no registration result is seen
- dedicated NAS not carried correctly
- Initial UE Message not reaching the AMF
- AMF selection, SCTP, or NGAP handling issue
Authentication starts and then fails
- subscriber identity issue
- authentication vector or AUSF issue
- SQN sync problem
- security capabilities mismatch
Explicit Registration Reject is received
- subscription restriction
- TA, PLMN, or roaming problem
- slice admission issue
- serving-network authorization issue
- congestion or policy-based denial
Access-Side Failures Before NAS Starts
Do not start with Registration Reject analysis until you confirm whether the UE actually got past SIB1, UAC, and early RRC handling.
SIB1 and UAC checks
- Check
SIB1broadcast availability. - Check
uac-BarringInfo. - Verify access category and establishment-cause mapping.
- Confirm the cell is suitable before blaming NAS or core behavior.
RRCReject analysis
- Confirm whether
RRCRejectis sent. - Capture
waitTime. - Distinguish overload or barring style reject from deeper 5GC failure.
Example: UAC barring or access rejected
Observed behavior - UE camps on NR cell - repeated access attempts - no NAS Registration Request visible in core trace RAN-side clues - SIB1 includes uac-BarringInfo - RRCSetupRequest seen - RRCReject returned with waitTime Interpretation - failure occurs before NAS registration reaches AMF - troubleshoot access category, barring policy, and cell access setup first
Example: Wrong or unexpected establishment cause
Observed behavior - RRCSetupRequest exists - establishmentCause is not aligned with service intent - network applies access control or prioritization unexpectedly Interpretation - check upper-layer trigger - verify mapping between service request type and RRC establishment cause - confirm whether access class handling is causing denial before NAS starts
RRC and NGAP Checkpoints
Treat RRCSetupComplete and Initial UE Message as the handoff checkpoints between radio and core.
RRCSetupComplete checkpoint
- Verify
dedicatedNAS-Messageis present. - Verify selected PLMN and optional NSSAI context if used.
- Confirm the NAS PDU actually leaves the UE side.
NGAP Initial UE Message checkpoint
- Verify the RAN UE NGAP ID field.
- Verify the NAS-PDU field.
- Verify the User Location Information field.
- Verify the RRC Establishment Cause field.
- Confirm gNB-to-AMF path and SCTP health.
Example: NAS leaves RRC but dies before AMF processing
Observed behavior - RRCSetupComplete present with dedicated NAS - no successful AMF-side registration procedure - Initial UE Message missing or malformed on N2 NGAP checks - RAN UE NGAP ID present - NAS-PDU present - User Location Information present - RRC Establishment Cause present Interpretation - isolate N2, AMF selection, and NGAP handling before analyzing NAS reject causes
NAS Registration Failure Domains
Only move here after you confirm the first NAS transfer and AMF entry path are real.
UE identity and context problems
- SUCI, 5G-GUTI, or additional GUTI handling
- UE identity cannot be derived by network
- illegal UE or illegal ME style rejection paths
Authentication problems
- authentication request and response mismatch
- synch failure behavior
- home-network or authentication-vector issues
Security mode problems
- security mode not accepted
- UE security capabilities mismatch
- NAS security context inconsistency
Subscription and mobility restrictions
- PLMN not allowed
- tracking area not allowed
- roaming not allowed in this tracking area
- no suitable cells in tracking area
- N1 mode not allowed
- serving network not authorized
Slice and policy restrictions
- no network slices available
- requested NSSAI or slice policy mismatch
- slice-related denial that surfaces as Registration Reject
Registration Reject Cause Decoder
Decode 5GMM causes only after you identify the first hard failure stage.
| 5GMM cause | Meaning |
|---|---|
| #3 | Illegal UE |
| #7 | 5GS services not allowed |
| #9 | UE identity cannot be derived by the network |
| #11 | PLMN not allowed |
| #12 | Tracking area not allowed |
| #13 | Roaming not allowed in this tracking area |
| #15 | No suitable cells in tracking area |
| #21 | Synch failure |
| #22 | Congestion |
| #23 | UE security capabilities mismatch |
| #27 | N1 mode not allowed |
| #62 | No network slices available |
| #73 | Serving network not authorized |
Registration Reject Examples
Use example outcomes to avoid mixing area, authentication, and slice problems together.
Example: Tracking area restriction
Observed NAS outcome - REGISTRATION REJECT - 5GMM cause #12 or #15 Interpretation - #12 means the UE is not allowed in the tracking area and should not just keep searching the same PLMN or area blindly - #15 points to no suitable cells in the tracking area and is handled differently by the UE Operator checks - TAI and TAC planning - UE subscription area restrictions - neighbor and reselection design - roaming and regional-service policies
Example: Authentication or security failure
Observed NAS outcome - authentication fails repeatedly - UE sends AUTHENTICATION FAILURE with cause #21 or - UE sends SECURITY MODE REJECT with cause #23 Interpretation - #21 points to synchronization failure in AKA handling - #23 points to UE security capability mismatch during security mode control Operator checks - AUSF, UDM, and auth vector generation - USIM state and SQN handling - replayed or altered UE security capability values
Example: Slice-based registration denial
Observed NAS outcome - REGISTRATION REJECT - 5GMM cause #62 Interpretation - registration is blocked by slice availability or slice authorization context, not by pure radio access Operator checks - allowed NSSAI versus requested NSSAI - slice admission and policy data - AMF slice support and area-level slice availability
Practical Troubleshooting Workflow
Keep the investigation grounded in the first failing stage, then correlate across layers.
1. Confirm failure stage
- before RRC
- after RRC but before NGAP handoff
- after Initial UE Message
- during authentication or security
- explicit Registration Reject
2. Correlate the same attempt across layers
- UE or modem time
- gNB RRC trace
- N2 or NGAP trace
- AMF, AUSF, or UDM logs
3. Decode the first hard failure
- first reject
- first timeout
- first malformed or missing message
- first wrong identity, security, area, or slice indicator
4. Validate configuration and subscription
- PLMN, TAC, and TAI
- slice policy
- roaming policy
- UE security capabilities
- SIM or USIM state
- AMF reachability and selection
Trace and Log Checklist
Collect evidence from the same registration attempt before escalation.
UE or modem side
- access attempts
- RRC reject wait time
- Registration Request and Reject cause
- authentication and security mode result
gNB side
- SIB1 and access control
- RRCSetupRequest, RRCReject, RRCSetupComplete
- Initial UE Message content
- SCTP and AMF routing
Core side
- AMF registration procedure start
- identity derivation
- AUSF and UDM interactions
- security mode control
- Registration Reject cause and decision reason
Evidence Package for Escalation
Escalation should carry a clean failure stage, the first failing message, and the minimum identifiers needed to correlate the attempt.
Minimum trace set
- UE log with timestamps
- gNB RRC and NGAP trace
- AMF logs for the same attempt
- authentication logs if relevant
Minimum identifiers
- SUPI or masked identity
- 5G-GUTI if present
- cell, gNB, TAC, and TAI
- AMF name or GUAMI
- requested NSSAI if relevant
Minimum failure summary
- exact failure stage
- first failing message
- exact cause code or timeout
- whether problem is reproducible
- whether it affects one UE, one TAC, one slice, or the whole AMF area
Specification Map
FAQ
Why does 5G registration fail before any NAS message is seen?
That usually means the failure is still in cell access, barring, or RRC connection setup. Confirm SIB1 availability, UAC barring, RRCSetupRequest handling, and whether an RRCReject with waitTime is looping the UE before you analyze AMF or NAS behavior.
What does RRCReject with waitTime usually mean for troubleshooting?
It points to a rejection at the radio-access stage rather than a later NAS reject from the AMF. Treat it as an access-control, overload, or early RRC handling problem first, then only move deeper if RRCSetupComplete and the dedicated NAS message actually happen.
What should I check if RRC succeeds but registration never starts in AMF?
Use RRCSetupComplete and NGAP Initial UE Message as the handoff checkpoints. Verify dedicatedNAS-Message in RRCSetupComplete, then verify RAN UE NGAP ID, NAS-PDU, User Location Information, and RRC Establishment Cause in Initial UE Message, along with SCTP and AMF routing health.
How do I isolate authentication failure from security mode failure?
Authentication failure happens earlier and often shows up as missing or failed AKA progression, AUTHENTICATION FAILURE, or synch failure. Security mode failure happens after authentication has progressed and often surfaces as SECURITY MODE REJECT, security-capabilities mismatch, or NAS security context inconsistency.
What is the difference between causes #12, #13, and #15?
#12 is tracking area not allowed, #13 is roaming not allowed in this tracking area, and #15 means no suitable cells in the tracking area. They look similar at first glance, but they point toward different policy, mobility-area, and reselection follow-up checks.
When does cause #62 usually point to slice or policy problems?
Cause #62 usually means registration is being denied because no network slices are available or the requested slice context is not admitted in that area or for that subscription. Treat it as a slice or policy path before blaming pure RF access.