Home / Call Flows / LTE / Combined EPS / IMSI Attach Procedure

LTE Combined EPS / IMSI Attach Procedure Call Flow

call-flow LTE | EPC | RRC | NAS | S1AP | GTPv2-C | Diameter | SGsAP

LTE Combined EPS / IMSI Attach is the attach path used when the UE needs both EPS registration and legacy CS-domain reachability in the same LTE entry procedure. It combines the normal LTE attach path with SGs association toward the MSC/VLR so the UE can remain reachable for services such as CS fallback and SMS continuity.

This procedure appears when LTE packet service alone is not enough and the network also needs the UE to remain visible to the legacy mobility domain. If the combined branch does not complete cleanly, the UE may still miss expected CS-related behavior even when LTE access and default bearer setup look normal.

Introduction

The LTE Combined EPS / IMSI Attach Procedure establishes EPS registration for the UE while also requesting legacy mobility reachability through the SGs interface. It lets the network authenticate the subscriber, activate NAS security, create the default EPS bearer, and coordinate the CS-side location update with the MSC/VLR.

The procedure starts when the UE sends Attach Request with a combined attach type instead of EPS-only attach. The main nodes are the UE, eNB, MME, SGW, PGW, HSS, and MSC/VLR. The final result determines not only packet-service readiness but also whether the UE has the expected legacy CS reachability for later fallback and SMS-related behavior.

What Is LTE Combined EPS / IMSI Attach in Simple Terms?

What starts the procedure: The UE requests combined EPS and IMSI attach instead of EPS-only attach.
What the UE and network want to achieve: EPS registration, a working default bearer, and legacy CS reachability through SGs association.
What success looks like: The UE receives Attach Accept, returns Attach Complete, and the network completes the SGs-side location update successfully.
What failure means: The procedure stops on access, identity, authentication, security, SGs association, subscription, or bearer setup failure, or it completes only as EPS service without the expected combined legacy outcome.

Why this procedure matters

Combined attach decides whether the UE becomes service-ready for both LTE packet service and legacy CS-reachability behavior. It is one of the key correlation points between LTE attach analysis and later CSFB-related service behavior.

Quick Fact Sheet

Procedure name	LTE Combined EPS / IMSI Attach Procedure
Domain	LTE access, EPC registration, and legacy CS reachability
Main trigger	UE needs EPS service and also requests CS-domain reachability for SMS or CS fallback support
Start state	UE has cell access but no usable combined EPS and legacy mobility registration context
End state	UE is EMM-REGISTERED, ECM-CONNECTED, has a default EPS bearer, and has SGs-based legacy reachability if accepted
Main nodes	UE, eNB, MME, SGW, PGW, HSS, MSC/VLR
Main protocols	RRC, NAS, S1AP, GTPv2-C, Diameter, SGsAP
Main success outcome	EPS attach completes, default bearer is active, and combined CS-domain reachability is available through SGs association
Main failure outcome	Attach is rejected, SGs location update fails, or EPS service completes without the expected combined CS reachability
Most important messages	Attach Request, Authentication Request/Response, Security Mode Command, SGs location update signaling, Attach Accept, Attach Complete
Main specs	TS 23.272, TS 23.401, TS 24.301, TS 29.118, TS 36.300, TS 36.331

LTE Combined EPS IMSI Attach Procedure end-to-end call flow across UE, eNB, MME, SGW, PGW, HSS, and MSC/VLR — Click the diagram to open the full-size in a new tab.

Preconditions

The combined attach path starts cleanly only when the LTE, EPC, and legacy-reachability prerequisites are already in place.

The UE has selected a suitable LTE cell and can start the RRC access leg.
The USIM contains valid subscriber credentials and the subscriber profile allows LTE and the required legacy service behavior.
The serving eNB has working S1 connectivity toward the target MME.
The HSS subscriber profile and authentication data are reachable and consistent.
The default APN or PDN path requested by the UE is allowed for the subscriber and roaming condition.
The MME can reach the target MSC/VLR over SGs if combined CS reachability is expected.

Nodes and Interfaces

Nodes involved

Node	Role in this procedure
UE	Starts combined attach, requests both EPS and legacy mobility reachability, completes NAS security, and confirms the default bearer.
eNB	Provides LTE radio access and forwards the NAS signaling between UE and MME.
MME	Controls the attach, coordinates HSS and SGW or PGW interaction, and also creates the SGs association toward MSC/VLR.
SGW	Participates in default bearer session creation and user-plane tunnel setup.
PGW	Allocates PDN session context, APN handling, and IP address information for the default bearer.
HSS	Provides subscriber profile and authentication vectors and confirms whether the subscriber can use the requested services.
MSC/VLR	Handles the legacy CS-side location update over SGs so the UE can remain reachable for CSFB and SMS-related continuity.

Interfaces used

Interface	Endpoints	Role
LTE Uu	UE <-> eNB	Carries the RRC access leg and the embedded NAS attach signaling.
S1-MME	eNB <-> MME	Carries S1AP and NAS transport between radio access and the core control plane.
S11	MME <-> SGW	Carries GTPv2-C Create Session signaling for the default EPS bearer path.
S5/S8	SGW <-> PGW	Carries EPC session signaling toward the PDN side.
S6a	MME <-> HSS	Carries subscriber update and authentication vector handling over Diameter.
SGs	MME <-> MSC/VLR	Carries SGsAP location update signaling for combined EPS and IMSI attach behavior.
S1-U	eNB <-> SGW	Carries the user-plane path after the default bearer becomes active.

End-to-End Call Flow

UE               eNB               MME               SGW               PGW               HSS            MSC/VLR
|                 |                 |                 |                 |                 |                 |
|--RRC Conn Req-->|                 |                 |                 |                 |                 |
|<-RRC Conn Setup-|                 |                 |                 |                 |                 |
|--RRC Setup Complete + Combined Attach Req + PDN Conn Req----------->|                 |                 |
|                 |--Initial UE signaling----------------------------->|                 |                 |
|                 |                 |----ULR / auth------------------->|--------------------------------->|
|                 |                 |<---ULA / vecs--------------------|<---------------------------------|
|<--Identity Req--|<--------------- |                 |                 |                 |                 |
|--Identity Resp->|---------------> |                 |                 |                 |                 |
|<--Auth Req------|<--------------- |                 |                 |                 |                 |
|--Auth Resp----->|---------------> |                 |                 |                 |                 |
|<--Security Mode Command-----------|                 |                 |                 |                 |
|--Security Mode Complete---------->|                 |                 |                 |                 |
|                 |                 |--Create Session Req------------->|----------------> |                 |
|                 |                 |<--Create Session Resp------------|<---------------- |                 |
|                 |                 |----------------SGs Location Update------------------------------->|
|                 |                 |<---------------SGs Location Ack-----------------------------------|
|                 |<-Initial Context Setup Req + Attach Accept + Default Bearer Req--------------------|
|<--RRC Reconfiguration-------------|                 |                 |                 |                 |
|--RRC Reconfiguration Complete---->|                 |                 |                 |                 |
|--Attach Complete + Default Bearer Accept---------->|                 |                 |                 |
|                 |--uplink NAS--------------------->|                 |                 |                 |

Major Phases

1. Access and combined attach start

The UE creates an RRC signaling path and sends Attach Request with a combined EPS and IMSI attach type, usually together with PDN Connectivity Request.

2. Identity and subscriber validation

The MME resolves the subscriber identity if needed and obtains subscriber profile data and authentication vectors from the HSS.

3. Authentication and NAS security

The UE is authenticated, then NAS integrity and ciphering are activated before the procedure can continue safely.

4. EPC session creation

The MME creates the default EPS bearer path through SGW and PGW so packet service can become available.

5. SGs association and legacy reachability setup

The MME performs the SGs-side location update with the MSC/VLR so the UE can remain reachable for CS fallback and SMS-related legacy services.

6. Accept delivery and radio context setup

The MME sends the attach result, default bearer activation, and initial context setup toward the eNB and UE.

7. Completion

The UE returns Attach Complete and confirms the default bearer, closing the EPS side of the transaction.

Step-by-Step Breakdown

RRC access establishment

Sender -> receiver: UE -> eNB

Message(s): RRC Connection Request, RRC Connection Setup, RRC Connection Setup Complete

Purpose: Create the dedicated signaling path used to deliver the first NAS message toward the MME.

State or context change: UE moves from idle access into active RRC signaling.

Note: If this leg is unstable, the later combined attach behavior will look incomplete even when the EPC side is healthy.

Combined attach start

Sender -> receiver: UE -> eNB -> MME

Message(s): Attach Request with combined EPS / IMSI attach type, often with PDN Connectivity Request

Purpose: Request EPS registration and legacy CS reachability in the same attach transaction.

State or context change: MME creates early UE context and identifies the flow as a combined attach rather than EPS-only attach.

Note: The attach type is the first field to verify. If it is not a combined attach type, the SGs-side continuation should not be expected.

Identity and HSS handling

Sender -> receiver: MME <-> HSS and MME -> UE -> MME

Message(s): Update Location, authentication vector retrieval, and optional Identity Request / Identity Response

Purpose: Resolve the subscriber identity and obtain the profile data needed for combined service handling.

State or context change: MME now has subscriber identity, authentication material, and service profile context.

Note: Identity and subscription mismatches are a common reason why the procedure looks normal on RRC but stops before any combined-service result appears.

Authentication and NAS security activation

Sender -> receiver: MME -> UE -> MME

Message(s): Authentication Request, Authentication Response, Security Mode Command, Security Mode Complete

Purpose: Authenticate the UE and protect the remaining NAS exchange.

State or context change: A valid NAS security context is active for the rest of the procedure.

Note: Combined attach does not change the basic EPS AKA and NAS security sequence. The added complexity appears later with SGs association and legacy reachability handling.

Session and default bearer creation

Sender -> receiver: MME -> SGW -> PGW -> SGW -> MME

Message(s): Create Session Request and Create Session Response

Purpose: Create the initial PDN session and default EPS bearer for packet service.

State or context change: The EPC has a usable session context for data connectivity.

Note: Combined attach can still fail as a data service flow if APN or subscription handling breaks here, even when the legacy part is configured correctly.

SGs location update toward MSC/VLR

Sender -> receiver: MME <-> MSC/VLR

Message(s): SGsAP Location Update Request and response handling

Purpose: Create or refresh the SGs association so the UE is reachable for CS fallback and SMS continuity.

State or context change: Legacy CS-side reachability is either accepted, limited, or rejected.

Note: This is the step that separates combined attach from normal EPS attach. If SGs association fails, the network may reject the combined request or allow EPS service without the expected CS-domain reachability.

Attach result delivery and radio context setup

Sender -> receiver: MME -> eNB -> UE

Message(s): Initial Context Setup Request, Attach Accept, Activate Default EPS Bearer Context Request, and RRC Connection Reconfiguration

Purpose: Deliver the attach outcome and apply the radio-side context needed for the default bearer.

State or context change: UE receives the combined attach result, mobility identity, timer context, and bearer parameters.

Note: Look closely at the attach result and cause values if the UE gets packet service but not the expected combined legacy behavior.

Completion toward the MME

Sender -> receiver: UE -> eNB -> MME

Message(s): RRC Connection Reconfiguration Complete, Attach Complete, Activate Default EPS Bearer Context Accept

Purpose: Confirm that the UE accepted the attach result and the default bearer configuration.

State or context change: EPS attach is complete and the UE is ready for packet service and, if accepted, SGs-based legacy reachability.

Note: If Attach Complete is present but combined service is still missing, the remaining check is usually on the SGs-side result rather than the basic EPS path.

Important Messages

Message	Protocol	Sender -> Receiver	Purpose in this procedure	What to inspect briefly
RRC Connection Request	RRC	UE -> eNB	Starts the radio-access leg for combined attach.	Establishment cause, retry pattern, and whether radio access looks healthy.
RRC Connection Setup Complete	RRC	UE -> eNB	Carries the first NAS payload toward the EPC.	Dedicated NAS container and whether the attach transaction starts on the first attempt.
Attach Request	NAS	UE -> MME	Starts the combined EPS and IMSI attach transaction.	Attach type, old GUTI or IMSI use, NAS capability, and embedded ESM container.
PDN Connectivity Request	NAS	UE -> MME	Requests the PDN session that will become the default bearer.	APN, PDN type, and protocol configuration options.
Identity Request	NAS	MME -> UE	Requests stronger subscriber identity when needed.	Identity type requested and whether the request matches the context.
Identity Response	NAS	UE -> MME	Returns the requested identity.	IMSI or IMEI content and consistency with the subscriber profile.
Authentication Request	NAS	MME -> UE	Starts EPS AKA authentication.	RAND, AUTN, and whether the request follows the expected HSS path.
Authentication Response	NAS	UE -> MME	Returns the AKA response used for attach continuation.	RES timing and whether a failure branch appears instead.
Security Mode Command	NAS	MME -> UE	Activates protected NAS signaling.	Selected integrity and ciphering algorithms and capability agreement.
Security Mode Complete	NAS	UE -> MME	Confirms NAS security activation.	Protected delivery and continuity with the selected KSI.
SGsAP Location Update Request	SGsAP	MME -> MSC/VLR	Requests legacy CS-side location update for combined attach.	Location update result, VLR handling, and any CS-reachability limitation.
Attach Accept	NAS	MME -> UE	Returns the attach result and mobility parameters.	Attach result, assigned GUTI, TAI list, timers, and any indication tied to the combined outcome.
Activate Default EPS Bearer Context Request	NAS	MME -> UE	Activates the default bearer that goes with the initial PDN connection.	EBI, APN, PDN address, QoS, and protocol configuration.
Attach Complete	NAS	UE -> MME	Confirms the UE accepted the attach result.	Timing, completion continuity, and whether the EPS side closes cleanly.
Activate Default EPS Bearer Context Accept	NAS	UE -> MME	Confirms the UE accepted the default bearer.	EBI match and whether the bearer side closes without delay.

Important Parameters to Inspect

Item	What it is	Where it appears	Why it matters	Common issues
Attach type	The NAS attach type showing whether the UE is requesting combined EPS and IMSI attach.	Attach Request	This field tells you whether SGs-side continuation should exist at all.	Wrong attach type, EPS-only attach when combined behavior was expected, test UE configuration mismatch.
IMSI / GUTI / S-TMSI	The identity used to start and continue the attach.	Attach Request, Identity Response, Attach Accept	Identity form affects how quickly the MME can resolve the subscriber and continue the procedure.	Stale GUTI, identity mismatch across traces, unexpected IMSI exposure.
LAI / TAI / TAC	Legacy and EPS location context tied to the combined registration outcome.	Attach signaling, SGs handling, Attach Accept	Combined attach depends on both EPS-side and legacy reachability context.	Unexpected location area mapping, TAC mismatch, SGs location update inconsistency.
APN and PDN type	The packet data context requested during attach.	PDN Connectivity Request, Create Session, default bearer activation	The combined flow still needs successful packet-service setup to complete normally.	Unknown APN, blocked APN, unsupported IPv4 or IPv6 combination.
EPS Bearer ID / E-RAB ID	The bearer identifiers used across EPC and eNB context setup.	Attach Accept, bearer activation, Initial Context Setup	These fields tie control-plane acceptance to usable radio and user-plane setup.	EBI mismatch, failed E-RAB setup, missing bearer accept.
MME UE S1AP ID / eNB UE S1AP ID	Control-plane correlation keys on S1-MME.	Initial UE Message, NAS transport, Initial Context Setup	They are needed to align the same UE across LTE Uu and S1-MME traces.	Trace merge confusion, ID reuse assumptions, missing correlation.
NAS KSI and selected algorithms	Security context reference and chosen NAS protection algorithms.	Attach Request, Security Mode Command, Security Mode Complete	These show whether the protected part of the attach is consistent.	Stale KSI, unsupported algorithm selection, integrity mismatch.
SGs association result	The outcome of the MME to MSC/VLR location update for combined service.	SGsAP location update handling and final attach outcome	This explains whether CS fallback and related legacy reachability were actually granted.	MSC temporarily not reachable, SGs association failure, EPS-only service after combined request.

Successful Completion

A successful combined attach ends with a UE that is EMM-REGISTERED, has a valid NAS security context, and has an active default EPS bearer for packet service.

In the combined case, success also means the MME completed the SGs-side location update so the UE has the expected legacy CS reachability toward the MSC/VLR. In practical traces, the main checks are Attach Accept, Attach Complete, and a clean SGs location update outcome.

After that, the UE can use LTE packet service and can continue into later CS fallback or SMS-related behavior if the network policy and subscriber profile allow it.

Common Failures and Troubleshooting

Combined attach request falls back to normal EPS handling unexpectedly

Likely cause: UE sent the wrong attach type or the network did not accept the combined request as expected.

Where to inspect: Attach Request content and final Attach Accept result.

Relevant message(s): Attach Request, Attach Accept

Relevant interface(s): NAS

Likely next step: Confirm the attach type first, then confirm whether the network returned a limited or altered service outcome.

Attach Reject after subscriber validation

Likely cause: Subscription policy, roaming restriction, or combined-service limitation prevented continuation.

Where to inspect: Reject cause, subscriber profile, and HSS response context.

Relevant message(s): Attach Reject

Relevant interface(s): NAS, S6a

Likely next step: Use the EMM cause value to decide whether the problem is EPS access, roaming policy, or combined CS-side limitation.

Authentication or Security Mode does not complete

Likely cause: AKA mismatch, stale context, or NAS security capability mismatch.

Where to inspect: Authentication exchange, Security Mode exchange, and selected KSI.

Relevant message(s): Authentication Request, Authentication Response, Security Mode Command, Security Mode Complete

Relevant interface(s): NAS, S6a

Likely next step: Treat this as a core EPS attach failure before analyzing the SGs side.

EPS bearer is created but CS reachability is missing

Likely cause: SGs location update failed or MSC/VLR was not reachable even though EPS attach continued.

Where to inspect: SGs signaling result, Attach Accept outcome, and later CSFB or SMS behavior.

Relevant message(s): SGsAP Location Update Request, Attach Accept

Relevant interface(s): SGs, NAS

Likely next step: Check whether the combined attach was partially accepted or whether the network returned a cause tied to legacy reachability.

Attach looks successful but SMS or CSFB still fails later

Likely cause: The UE reached EPS service but the SGs association is incomplete, missing, or inconsistent.

Where to inspect: SGs association state, MSC/VLR response, and later paging or fallback attempts.

Relevant message(s): Attach Accept, Attach Complete

Relevant interface(s): SGs, NAS

Likely next step: Correlate the combined attach result with later SGs-driven service behavior instead of assuming the attach itself was fully complete.

Attach Complete missing at the MME

Likely cause: UE did not apply the final accept, uplink NAS relay failed, or the procedure timed out after accept delivery.

Where to inspect: RRC completion, uplink NAS transport, and MME timer behavior.

Relevant message(s): Attach Accept, Attach Complete, Activate Default EPS Bearer Context Accept

Relevant interface(s): LTE Uu, S1-MME

Likely next step: Confirm whether the UE completed the radio leg and whether the final NAS uplink was lost before declaring a service-profile issue.

What to Check in Logs and Traces

Confirm the first NAS message really carries a combined attach type and not an EPS-only attach request.
Decode Attach Request early and inspect identity form, attach type, NAS capability, and embedded PDN Connectivity Request.
Correlate the subscriber branch across Identity, Authentication, and Security Mode before moving to SGs-side analysis.
Check S6a handling to confirm subscriber data and vectors arrived as expected.
Check S11 and S5/S8 Create Session results to confirm the default EPS bearer path is healthy.
Inspect the SGs location update result to confirm whether CS-domain reachability was granted, limited, or failed.
Confirm the UE returns Attach Complete and Activate Default EPS Bearer Context Accept within the expected timer window.
Use the final attach result and any EMM cause information to explain later CSFB or SMS behavior instead of assuming the combined path succeeded fully.

Related sub-procedures

LTE Attach Procedure for the EPS-only baseline attach path.
LTE Security Mode Procedure for the protected NAS activation step inside attach.
LTE CSFB overview for the later legacy service behavior that depends on combined reachability.

Related message reference pages

Related troubleshooting pages

LTE EMM cause reference for reject and limitation causes such as legacy reachability failures.
LTE NAS EMM and ECM states for the resulting EPS state view after attach.
3GPP Decoder for field-level inspection across RRC and NAS messages.

Notes

Combined attach adds legacy CS reachability to the normal LTE attach path. The EPS side still needs identity resolution, authentication, NAS security, and default bearer setup, but the combined result is not complete until the SGs-side location update outcome is also understood.

The attach type is the fastest way to tell whether the trace should contain SGs-side continuation.
An apparently healthy LTE attach can still lead to later CSFB or SMS failure if the SGs association was not created successfully.
When the combined request is rejected or limited, the most useful clue is often the final cause or legacy-reachability result rather than the bearer setup details.
Use the plain LTE attach page as the baseline when deciding which parts of the trace are common EPS behavior and which parts are specific to combined attach.

FAQ

What is LTE Combined EPS / IMSI Attach?

It is an attach procedure where the UE asks for both EPS registration and legacy CS-domain reachability in the same LTE signaling flow.

How is combined attach different from normal LTE attach?

Normal attach focuses on EPS registration and packet service. Combined attach adds SGs-side handling so the UE can remain reachable for CS fallback and related legacy services.

Which nodes are added compared with normal attach?

The main extra node is the MSC/VLR, reached from the MME over the SGs interface.

Does combined attach still create a default EPS bearer?

Yes. The EPC session and default bearer creation are still part of the main success path.

What message tells the network this is a combined attach?

The attach type in Attach Request is the main indicator.

What happens if MSC/VLR is not reachable?

The network may reject the combined request or allow EPS service without the expected legacy CS reachability, depending on policy and the exact failure branch.

Is combined attach required for CS fallback?

It is a common prerequisite for legacy CS reachability through SGs, especially when later CSFB-related continuity is expected.

Can the UE complete attach but still fail later for SMS or CSFB?

Yes. EPS attach can look clean while the SGs association is incomplete or unusable for later legacy service behavior.

What should I inspect first in a failed combined attach?

Start with Attach Request attach type, then check identity, authentication, security, default bearer creation, and finally the SGs location update result.

Which specs matter most?

TS 23.272 covers CS fallback and SGs behavior, TS 23.401 and TS 24.301 cover EPS procedure and NAS handling, TS 29.118 covers SGsAP, and TS 36.300 or TS 36.331 cover the LTE access side.